├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md └── PULL_REQUEST_TEMPLATE.md ├── .gitignore ├── LICENSE ├── NOTICE ├── README.md ├── adrs └── 001-use-kapp-versioned.md ├── build ├── eirini │ ├── _vendir │ │ └── eirini │ │ │ ├── core │ │ │ ├── api-configmap.yml │ │ │ ├── api-deployment.yml │ │ │ ├── api-rbac.yml │ │ │ ├── api-service.yml │ │ │ ├── instance-index-env-injector-configmap.yml │ │ │ ├── instance-index-env-injector-deployment.yml │ │ │ ├── instance-index-env-injector-rbac.yml │ │ │ ├── instance-index-env-injector-service.yml │ │ │ ├── instance-index-env-injector-webhook.yml │ │ │ ├── migration-job.yml │ │ │ ├── migration-rbac.yml │ │ │ ├── task-reporter-configmap.yml │ │ │ ├── task-reporter-deployment.yml │ │ │ └── task-reporter-rbac.yml │ │ │ ├── events │ │ │ ├── event-reporter-configmap.yml │ │ │ ├── event-reporter-deployment.yml │ │ │ └── event-reporter-rbac.yml │ │ │ └── workloads │ │ │ ├── app-rbac.yml │ │ │ ├── core │ │ │ ├── api-rbac.yml │ │ │ └── task-reporter-rbac.yml │ │ │ └── events │ │ │ └── event-reporter-rbac.yml │ ├── build.sh │ └── overlays │ │ └── rename-opi-service-name.yml ├── istio │ ├── build.sh │ ├── generate.sh │ ├── istioctl-values.yaml │ ├── overlays │ │ ├── add-fluent-bit-sidecar-to-ingressgateway.yaml │ │ ├── add-version-tag.yaml │ │ ├── ingressgateway-as-root.yaml │ │ ├── ingressgateway-daemonset.yaml │ │ ├── ingressgateway-drain.yaml │ │ ├── istio-system-namespace.yaml │ │ ├── kapp-compatible.yaml │ │ └── mtls-mesh-policy.yaml │ └── values.yaml ├── minio │ ├── _vendir │ │ ├── LICENSE │ │ └── stable │ │ │ └── minio │ │ │ ├── .helmignore │ │ │ ├── Chart.yaml │ │ │ ├── OWNERS │ │ │ ├── README.md │ │ │ ├── ci │ │ │ └── distributed-values.yaml │ │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helper_create_bucket.txt │ │ │ ├── _helpers.tpl │ │ │ ├── configmap.yaml │ │ │ ├── deployment.yaml │ │ │ ├── ingress.yaml │ │ │ ├── networkpolicy.yaml │ │ │ ├── poddisruptionbudget.yaml │ │ │ ├── post-install-create-bucket-job.yaml │ │ │ ├── post-install-prometheus-metrics-job.yaml │ │ │ ├── post-install-prometheus-metrics-role.yaml │ │ │ ├── post-install-prometheus-metrics-rolebinding.yaml │ │ │ ├── post-install-prometheus-metrics-serviceaccount.yaml │ │ │ ├── pvc.yaml │ │ │ ├── secrets.yaml │ │ │ ├── service.yaml │ │ │ ├── serviceaccount.yaml │ │ │ ├── servicemonitor.yaml │ │ │ └── statefulset.yaml │ │ │ └── values.yaml │ ├── build.sh │ ├── osl-compliant-image-override.yml │ ├── scrub_default_creds.yml │ └── values.yml ├── postgres │ ├── _vendir │ │ ├── LICENSE │ │ └── bitnami │ │ │ └── postgresql │ │ │ ├── .helmignore │ │ │ ├── Chart.yaml │ │ │ ├── README.md │ │ │ ├── ci │ │ │ ├── commonAnnotations.yaml │ │ │ ├── default-values.yaml │ │ │ └── shmvolume-disabled-values.yaml │ │ │ ├── files │ │ │ ├── README.md │ │ │ ├── conf.d │ │ │ │ └── README.md │ │ │ └── docker-entrypoint-initdb.d │ │ │ │ └── README.md │ │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── configmap.yaml │ │ │ ├── extended-config-configmap.yaml │ │ │ ├── initialization-configmap.yaml │ │ │ ├── metrics-configmap.yaml │ │ │ ├── metrics-svc.yaml │ │ │ ├── networkpolicy.yaml │ │ │ ├── podsecuritypolicy.yaml │ │ │ ├── prometheusrule.yaml │ │ │ ├── role.yaml │ │ │ ├── rolebinding.yaml │ │ │ ├── secrets.yaml │ │ │ ├── serviceaccount.yaml │ │ │ ├── servicemonitor.yaml │ │ │ ├── statefulset-slaves.yaml │ │ │ ├── statefulset.yaml │ │ │ ├── svc-headless.yaml │ │ │ ├── svc-read.yaml │ │ │ └── svc.yaml │ │ │ ├── values-production.yaml │ │ │ ├── values.schema.json │ │ │ └── values.yaml │ ├── build.sh │ └── init-db-values.yml └── quarks-secret │ ├── _vendir │ ├── LICENSE │ ├── NOTICE │ └── deploy │ │ └── helm │ │ └── quarks-secret │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── cluster-role.yaml │ │ ├── crds.yaml │ │ ├── operator.yaml │ │ ├── service-account-pull-secret.yaml │ │ └── service-account.yaml │ │ └── values.yaml │ ├── build.sh │ ├── image-override.yml │ └── quarks-values.yaml ├── ci ├── configure ├── dockerfiles │ ├── cf-for-k8s-aws │ │ └── Dockerfile │ ├── cf-for-k8s-azure │ │ └── Dockerfile │ ├── cf-for-k8s-ci │ │ └── Dockerfile │ ├── cf-for-k8s-deplab │ │ └── Dockerfile │ ├── cf-for-k8s-dind │ │ ├── Dockerfile │ │ ├── go-version │ │ ├── install-docker.sh │ │ ├── install-ruby.sh │ │ └── start-docker.sh │ ├── cf-for-k8s-gh-pages │ │ └── Dockerfile │ └── cf-k8s-networking-integration │ │ └── Dockerfile ├── helpers │ ├── auth-to-gcp.sh │ ├── env-git.sh │ ├── gke.sh │ └── uptimer-config.sh ├── inputs │ ├── build-eirini-images.yml │ └── cf-for-k8s-contributions.yml ├── pipelines │ ├── build-eirini-images.yml │ ├── build-statsd-exporter-image.md │ ├── build-statsd-exporter-image.yml │ ├── cf-for-k8s-contributions.md │ ├── cf-for-k8s-contributions.yml │ ├── cf-for-k8s-dev-tooling.md │ ├── cf-for-k8s-dev-tooling.yml │ ├── cf-for-k8s-experimental.md │ ├── cf-for-k8s-experimental.yml │ ├── cf-for-k8s-iaas-tests.md │ ├── cf-for-k8s-iaas-tests.yml │ ├── cf-for-k8s-main.md │ ├── cf-for-k8s-main.yml │ ├── cf-for-k8s-stability-tests.md │ ├── cf-for-k8s-stability-tests.yml │ ├── cf-for-k8s-update-gh-pages.md │ ├── cf-for-k8s-update-gh-pages.yml │ ├── k8s-pool-management.md │ └── k8s-pool-management.yml ├── tasks │ ├── build-statsd-exporter-image │ │ ├── task.sh │ │ └── task.yml │ ├── bump-buildpacks │ │ ├── task.sh │ │ └── task.yml │ ├── bump-core-component │ │ ├── task.sh │ │ └── task.yml │ ├── bump-stack │ │ ├── task.sh │ │ └── task.yml │ ├── check-pool-size │ │ ├── task.sh │ │ └── task.yml │ ├── check-values-interface │ │ ├── task.sh │ │ └── task.yml │ ├── check-vendir-sync │ │ ├── ignore-moved-lines.awk │ │ ├── task.sh │ │ └── task.yml │ ├── create-kind-cluster │ │ ├── task.sh │ │ └── task.yml │ ├── create-minikube-cluster │ │ ├── task.sh │ │ └── task.yml │ ├── create-rds-tf-vars-file │ │ └── task.yml │ ├── create-s3-bucket-data-values-file │ │ ├── task.sh │ │ └── task.yml │ ├── create-s3-tf-vars-file │ │ ├── task.sh │ │ └── task.yml │ ├── create-tag-annotation │ │ ├── task.sh │ │ └── task.yml │ ├── create-tf-vars-file │ │ ├── task.sh │ │ └── task.yml │ ├── delete-cf │ │ ├── task.sh │ │ └── task.yml │ ├── delete-rds │ │ ├── task.sh │ │ └── task.yml │ ├── display-gke-cluster-info │ │ ├── task.sh │ │ └── task.yml │ ├── ensure-api-healthy │ │ └── task.yml │ ├── generate-random-name │ │ ├── task.sh │ │ └── task.yml │ ├── generate-release-notes │ │ ├── task.sh │ │ └── task.yml │ ├── initialize-rds │ │ ├── task.sh │ │ └── task.yml │ ├── install-cf-on-gke │ │ ├── task.sh │ │ └── task.yml │ ├── install-cf-on-kind │ │ ├── task.sh │ │ └── task.yml │ ├── install-cf-on-minikube │ │ ├── task.sh │ │ └── task.yml │ ├── install-minio │ │ ├── task.sh │ │ └── task.yml │ ├── install-postgres │ │ ├── task.sh │ │ └── task.yml │ ├── publish-eirini-image │ │ ├── task.sh │ │ └── task.yml │ ├── push-test-app │ │ ├── task.sh │ │ └── task.yml │ ├── run-cats │ │ ├── task.sh │ │ └── task.yml │ ├── run-external-blobstore-validation-test │ │ ├── task.sh │ │ └── task.yml │ ├── run-external-db-validation-test │ │ ├── task.sh │ │ └── task.yml │ ├── run-smoke-tests-on-kind │ │ ├── task.sh │ │ └── task.yml │ ├── run-smoke-tests-on-minikube │ │ ├── task.sh │ │ └── task.yml │ ├── run-smoke-tests │ │ ├── task.sh │ │ └── task.yml │ ├── run-unit-tests │ │ ├── task │ │ └── task.yml │ ├── schedule-stale-envs-for-deletion │ │ ├── task │ │ └── task.yml │ └── verify-every-task-is-used-in-a-pipeline │ │ ├── task.sh │ │ └── task.yml └── templates │ ├── build-eirini-images.yml │ └── cf-for-k8s-contributions.yml ├── community ├── CONTRIBUTING.md ├── MAINTAINERS.md ├── PREPARING-FOR-DEVELOPMENT.md └── code-of-conduct.md ├── config ├── 0-min-kapp-version.yml ├── 0-min-version.star ├── 2-fix-null-annotations.yml ├── add-kapp-istio-gateway-secret-refs.yml ├── capi │ ├── _ytt_lib │ │ └── capi-k8s-release │ │ │ ├── LICENSE │ │ │ ├── NOTICE │ │ │ └── config │ │ │ ├── api_server_deployment.yml │ │ │ ├── cc-kpack-registry-service-account.yml │ │ │ ├── ccdb-migrate-job.yaml │ │ │ ├── ccng-config.lib.yml │ │ │ ├── ccng-configmap.yml │ │ │ ├── cf-api-controllers-service-account.yml │ │ │ ├── cf-api-server-service-account.yml │ │ │ ├── cf-api-worker-service-account.yml │ │ │ ├── cf-workloads-staging-namespace.yml │ │ │ ├── clock_deployment.yml │ │ │ ├── controllers_deployment.yml │ │ │ ├── database-ca-cert-secret.yml │ │ │ ├── deployment_updater_deployment.yml │ │ │ ├── nginx-configmap.yml │ │ │ ├── periodic-route-sync.yml │ │ │ ├── periodic-sync-crd.yml │ │ │ ├── secrets-file.yml │ │ │ ├── secrets.lib.yml │ │ │ ├── service.yml │ │ │ ├── values │ │ │ ├── _defaults.yml │ │ │ └── images.yml │ │ │ └── worker_deployment.yml │ ├── add-statsd-exporter-probes.yml │ ├── allow-prometheus-metrics-access.yml │ ├── capi.yml │ ├── secrets │ │ └── quarks-secrets.yml │ └── staging-ns-label.yml ├── check-required-arguments.yml ├── eirini │ ├── _ytt_lib │ │ └── eirini │ │ │ └── rendered.yml │ ├── eirini.yml │ ├── enable-automount-service-account-token.yml │ └── set-instance-index-env-injector-webhook-ca.yml ├── fix-db-startup-order.yml ├── get_missing_parameters.star ├── istio │ ├── README.md │ ├── add-istio-injection.yml │ ├── add-istio-version-to-podspecs.yml │ ├── app-sidecar.yaml │ ├── control-plane-network-policy.yaml │ ├── external-routing.yml │ ├── fluent-bit-ingressgateway-config-map.yaml │ ├── gateway.lib.yml │ ├── gateway_test.star │ ├── ingressgateway-service-nodeport.yml │ ├── istio-generated │ │ ├── README.md │ │ └── xxx-generated-istio.yaml │ ├── istio-kapp-ordering.yml │ ├── istio-version.star │ ├── label-istio-ns.yml │ ├── peer-auth-fluentd.yaml │ ├── remove-hpas-and-scale-istiod.yml │ ├── upgrade-istio-sidecars-job.yml │ ├── use-external-dns-for-wildcard.yml │ └── use-first-party-jwt-tokens.yml ├── kapp-rebase-rules.yml ├── kpack │ ├── _ytt_lib │ │ └── kpack │ │ │ └── release-0.5.4.yaml │ ├── default-buildpacks.yml │ ├── kapp-order.yml │ ├── kapp-wait-rules.yml │ ├── kpack-ns-label.yml │ └── kpack.yml ├── logging │ ├── _ytt_lib │ │ └── cf-k8s-logging │ │ │ ├── _defaults.yml │ │ │ ├── fluent-ingress-service.yaml │ │ │ ├── fluentd-config.yaml │ │ │ ├── fluentd-daemonset.yaml │ │ │ ├── images.yml │ │ │ ├── log-cache-api-deployment.yaml │ │ │ ├── log-cache-api-service.yaml │ │ │ ├── log-cache-deployment.yaml │ │ │ ├── log-cache-service.yaml │ │ │ ├── log-cache-virualservice.yml │ │ │ ├── logging-metadata-service-account.yaml │ │ │ ├── network-policies.yaml │ │ │ └── syslog-service.yaml │ └── logging.yml ├── metrics │ ├── _ytt_lib │ │ └── metric-proxy │ │ │ ├── 100-metric-proxy-service-account.yml │ │ │ ├── 400-metric-proxy-service.yml │ │ │ ├── 500-metric-proxy-deployment.yml │ │ │ ├── _defaults.yml │ │ │ ├── images.yml │ │ │ └── metadata.yml │ ├── add-metrics-server-components.yml │ ├── allow-prometheus-metrics-access.yml │ ├── metrics-server-prefer-internal-kubelet-address.yml │ └── metrics.yml ├── minio │ ├── _ytt_lib │ │ └── minio │ │ │ └── rendered.yml │ ├── minio.star │ ├── minio.yml │ └── must_exist.star ├── namespaces.star ├── networking │ ├── _ytt_lib │ │ └── cf-k8s-networking │ │ │ ├── LICENSE │ │ │ ├── NOTICE │ │ │ └── config │ │ │ ├── crd │ │ │ └── networking.cloudfoundry.org_routes.yaml │ │ │ ├── routecontroller │ │ │ ├── cluster-role-binding.yaml │ │ │ ├── cluster-role.yaml │ │ │ ├── routecontroller-configmap.yaml │ │ │ ├── routecontroller.yaml │ │ │ └── service-account.yaml │ │ │ └── values │ │ │ ├── _defaults.yml │ │ │ └── images.yml │ ├── istio-authorization-policies.yml │ ├── network-policies.yaml │ └── networking.yml ├── postgres │ ├── _ytt_lib │ │ └── postgres │ │ │ └── rendered.yml │ ├── postgres.star │ └── postgres.yml ├── prioritize-daemonsets.yml ├── quarks-secret │ ├── _ytt_lib │ │ └── quarks-secret │ │ │ └── rendered.yml │ ├── quarks-secret.star │ └── quarks-secret.yml ├── remove-resource-requirements.yml ├── system-namespace.yml ├── system-registry.yml ├── uaa │ ├── _ytt_lib │ │ └── uaa-k8s-release │ │ │ ├── LICENSE │ │ │ ├── NOTICE │ │ │ └── config │ │ │ ├── config.yml │ │ │ ├── deployment.star │ │ │ ├── deployment.yml │ │ │ ├── log4j2.properties │ │ │ ├── metadata.yml │ │ │ ├── secrets │ │ │ ├── admin_client_credentials.yml │ │ │ ├── ca_certs.star │ │ │ ├── ca_certs.yml │ │ │ ├── database_credentials.yml │ │ │ ├── encryption_keys.star │ │ │ ├── encryption_keys.yml │ │ │ ├── jwt_policy_signing_keys.star │ │ │ ├── jwt_policy_signing_keys.yml │ │ │ ├── saml_keys.star │ │ │ ├── saml_keys.yml │ │ │ └── smtp_credentials.yml │ │ │ ├── service.yml │ │ │ ├── service_account.yml │ │ │ ├── uaa.lib.yml │ │ │ └── values │ │ │ ├── _defaults.yml │ │ │ ├── images.yml │ │ │ └── version.yml │ ├── add-statsd-exporter-probes.yml │ ├── allow-prometheus-metrics-access.yml │ ├── enable-automount-service-account-token.yml │ ├── remove-resource-requirements.yml │ ├── secrets │ │ └── quarks-secrets.yml │ └── uaa.yml ├── values │ ├── 00-values.yml │ ├── 20-secrets-config-values.yml │ └── 30-experimental-values.yml ├── workloads-namespace.yml └── z-kapp-versioned-creds.yml ├── deploy ├── aks │ └── terraform │ │ ├── cluster.tf │ │ ├── dns.tf │ │ ├── lb_static_ip.tf │ │ ├── outputs.tf │ │ ├── provider.tf │ │ ├── resource_group.tf │ │ ├── variables.tf │ │ └── versions.tf ├── eks │ └── terraform │ │ ├── eks.tf │ │ ├── outputs.tf │ │ ├── provider.tf │ │ ├── security-groups.tf │ │ ├── variables.tf │ │ └── vpc.tf ├── gke │ └── terraform │ │ ├── cluster.tf │ │ ├── dns.tf │ │ ├── lb_static_ip.tf │ │ ├── outputs.tf │ │ ├── provider.tf │ │ ├── variables.tf │ │ └── versions.tf ├── kind-on-gcp │ ├── install-and-test.sh │ └── terraform │ │ ├── outputs.tf │ │ ├── provider.tf │ │ ├── variables.tf │ │ ├── versions.tf │ │ └── vm.tf ├── kind │ └── cluster.yml ├── minikube-on-gcp │ ├── install-and-test.sh │ └── terraform │ │ ├── outputs.tf │ │ ├── provider.tf │ │ ├── variables.tf │ │ ├── versions.tf │ │ └── vm.tf ├── rds │ └── terraform │ │ ├── README.md │ │ ├── database.tf │ │ ├── outputs.tf │ │ ├── provider.tf │ │ └── variables.tf └── s3 │ └── terraform │ ├── blobstore.tf │ ├── outputs.tf │ ├── provider.tf │ └── variables.tf ├── hack ├── README.md ├── app-registry-check-dockerfile │ └── Dockerfile ├── confirm-network-policy.sh ├── emit-pod-service-encryption-status.sh ├── generate-values.sh ├── run-smoke-tests.sh ├── upgrade-cluster └── validate-registry-access.sh ├── images └── build │ └── statsd-exporter │ ├── build.sh │ ├── generate-kbld-config.sh │ ├── kbld.lock.yml │ ├── kbld.yml │ ├── statsd-exporter-image.yml │ ├── vendir.lock.yml │ └── vendir.yml ├── sample-cf-install-values.yml ├── samples └── example-component │ ├── Dockerfile │ ├── build │ └── kbld.yml │ └── config │ ├── add-kapp-my-crd-refs.yml │ ├── deployment.yml │ ├── my-crd.yml │ └── values │ ├── _defaults.yml │ └── images.yml ├── supported_k8s_versions.yml ├── tests ├── configs │ ├── app_registry.yml │ ├── configs_suite_test.go │ ├── configs_test.go │ ├── go.mod │ ├── go.sum │ └── rbac │ │ ├── rbac_suite_test.go │ │ └── rbac_test.go ├── smoke │ ├── assets │ │ └── test-node-app │ │ │ ├── package.json │ │ │ └── server.js │ ├── go.mod │ ├── go.sum │ ├── smoke_suite_test.go │ └── smoke_test.go └── ytt │ ├── README.md │ ├── blobstore │ └── blobstore-values.yml │ ├── capi │ └── capi-values.yml │ ├── capi_test.go │ ├── external_blobstore_test.go │ ├── external_db_test.go │ ├── external_prometheus_metrics_test.go │ ├── go.mod │ ├── go.sum │ ├── k8s_suite_test.go │ ├── metrics │ └── metrics-values.yml │ ├── missing_attributes │ └── missing_attributes_values.yml │ ├── missing_attributes_test.go │ ├── postgres │ └── postgres-values.yml │ ├── quarks_secret │ ├── quarks_secret_disabled.yml │ └── quarks_secret_enabled.yml │ ├── quarks_secret_test.go │ ├── system-registry │ └── system-registry-values.yml │ ├── system_registry_test.go │ ├── uaa │ └── uaa-values.yml │ └── uaa_test.go ├── vendir.lock.yml └── vendir.yml /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | ## Describe the bug 11 | _A clear and concise description of what the bug is_ 12 | 13 | ## To Reproduce* 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | _It's helpful to include snippets of the error response or logs output_ 21 | 22 | ## Expected behavior 23 | _A clear and concise description of what you expected to happen._ 24 | 25 | ## Additional context 26 | 27 | ### cf-for-k8s SHA 28 | _Please paste cf-for-k8s SHA hyperlink_ 29 | 30 | ### Deploy instructions 31 | _Please include the kapp deploy... command, including all config-optional files_ 32 | 33 | ### Cluster information 34 | _Please provide IaaS name(s) here (GKE, AKS, EKS, minikube, kind, etc.)_ 35 | 36 | ### CLI versions 37 | _paste output of the following commands_ 38 | 39 | 1. `ytt --version`: 40 | 2. `kapp --version`: 41 | 3. `kubectl version`: 42 | 4. `cf version`: 43 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | **/*.tfstate 2 | **/*.tfstate.backup 3 | **/.terraform/ 4 | **/.terraform.lock.hcl 5 | **/.terraform.tfstate.lock.info 6 | **/*.tfvars 7 | **/kubeconfig_* 8 | tmp 9 | .idea 10 | *~ 11 | images/sources/ 12 | images/build/statsd-exporter/sources/ 13 | tests/smoke/smoke.test 14 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | cf-for-k8s 2 | 3 | Copyright (c) 2016-Present CloudFoundry.org Foundation, Inc. All Rights Reserved. 4 | 5 | Licensed under the Apache License, Version 2.0 (the "License"); 6 | you may not use this file except in compliance with the License. 7 | You may obtain a copy of the License at 8 | 9 | http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | Unless required by applicable law or agreed to in writing, software 12 | distributed under the License is distributed on an "AS IS" BASIS, 13 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | See the License for the specific language governing permissions and 15 | limitations under the License. 16 | -------------------------------------------------------------------------------- /build/eirini/_vendir/eirini/core/api-service.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: eirini/templates/core/api-service.yml 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: eirini-api 7 | namespace: cf-system 8 | spec: 9 | ports: 10 | - port: 8080 11 | protocol: TCP 12 | name: http 13 | selector: 14 | name: eirini-api 15 | -------------------------------------------------------------------------------- /build/eirini/_vendir/eirini/core/instance-index-env-injector-configmap.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: eirini/templates/core/instance-index-env-injector-configmap.yml 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: eirini-instance-index-env-injector 7 | namespace: cf-system 8 | data: 9 | instance-index-env-injector.yml: | 10 | # service_port is the port exposed by the instance index env injector 11 | # webhook Service. 12 | service_port: 8443 13 | -------------------------------------------------------------------------------- /build/eirini/_vendir/eirini/core/instance-index-env-injector-service.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: eirini/templates/core/instance-index-env-injector-service.yml 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: eirini-instance-index-env-injector 7 | namespace: cf-system 8 | spec: 9 | ports: 10 | - port: 443 11 | targetPort: 8443 12 | protocol: TCP 13 | name: https 14 | selector: 15 | name: eirini-instance-index-env-injector 16 | -------------------------------------------------------------------------------- /build/eirini/_vendir/eirini/core/instance-index-env-injector-webhook.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: eirini/templates/core/instance-index-env-injector-webhook.yml 3 | apiVersion: admissionregistration.k8s.io/v1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | name: eirini-x-mutating-hook 7 | webhooks: 8 | - name: instance-index-env-injector.eirini.cloudfoundry.org 9 | objectSelector: 10 | matchLabels: 11 | cloudfoundry.org/source_type: APP 12 | rules: 13 | - apiGroups: [""] 14 | apiVersions: ["v1"] 15 | operations: ["CREATE"] 16 | resources: ["pods"] 17 | scope: "Namespaced" 18 | clientConfig: 19 | service: 20 | namespace: cf-system 21 | name: eirini-instance-index-env-injector 22 | caBundle: 23 | admissionReviewVersions: ["v1beta1"] 24 | sideEffects: None 25 | timeoutSeconds: 10 26 | -------------------------------------------------------------------------------- /build/eirini/_vendir/eirini/core/migration-job.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: eirini/templates/core/migration-job.yml 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: eirini-app-migration 7 | namespace: cf-system 8 | annotations: 9 | kapp.k14s.io/update-strategy: fallback-on-replace 10 | spec: 11 | backoffLimit: 4 12 | template: 13 | metadata: 14 | labels: 15 | name: eirini-app-migration 16 | annotations: 17 | sidecar.istio.io/inject: "false" 18 | spec: 19 | serviceAccountName: eirini-migration 20 | securityContext: 21 | runAsNonRoot: true 22 | containers: 23 | - name: migration 24 | image: eirini/migration@sha256:88a8e2ef2c32fe6858040451c62a782d63fc00d24b525d669b82b8a91d87a633 25 | imagePullPolicy: IfNotPresent 26 | resources: 27 | requests: 28 | cpu: 20m 29 | memory: 20Mi 30 | limits: 31 | cpu: 100m 32 | memory: 100Mi 33 | restartPolicy: OnFailure 34 | -------------------------------------------------------------------------------- /build/eirini/_vendir/eirini/core/task-reporter-configmap.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: eirini/templates/core/task-reporter-configmap.yml 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: eirini-task-reporter 7 | namespace: cf-system 8 | data: 9 | task-reporter.yml: | 10 | # cc_tls_disabled specifies wether Eirini should communicate to the Cloud 11 | # Controller via HTTPS or not. This should be set to false if TLS is 12 | # handled transparently, e.g. by a service mesh. 13 | # 14 | # When cc_tls_disabled is false, which is the default, a secret must be 15 | # provided for the cc-certs volume in core/api-deployment.yml. This must 16 | # have entries tls.ca, tls.crt and tls.key, for the TLS certificate 17 | # authority, client certificate and key respectively, used for mTLS with 18 | # the Cloud Controller. 19 | cc_tls_disabled: true 20 | 21 | # completion_callback_retry_limit is the number of times Eirini will retry 22 | # to call the Cloud Controller completion callback in case the Cloud 23 | # Controller is unreachable. 24 | completion_callback_retry_limit: 10 25 | 26 | # ttl_seconds is the number of seconds Eirini will wait before deleting the 27 | # Job associated to a completed Task. 28 | ttl_seconds: 5 29 | -------------------------------------------------------------------------------- /build/eirini/_vendir/eirini/events/event-reporter-configmap.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: eirini/templates/events/event-reporter-configmap.yml 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: eirini-event-reporter 7 | namespace: cf-system 8 | data: 9 | events.yml: | 10 | # cc_internal_api is the URL used by Eirini to call the Cloud Controller. 11 | cc_internal_api: "http://capi.cf-system.svc.cluster.local:9023" 12 | 13 | # cc_tls_disabled specifies wether Eirini should communicate to the Cloud 14 | # Controller via HTTPS or not. This should be set to false if TLS is 15 | # handled transparently, e.g. by a service mesh. 16 | # 17 | # When cc_tls_disabled is false, which is the default, a secret must be 18 | # provided for the cc-certs volume in core/api-deployment.yml. This must 19 | # have entries tls.ca, tls.crt and tls.key, for the TLS certificate 20 | # authority, client certificate and key respectively, used for mTLS with 21 | # the Cloud Controller. 22 | cc_tls_disabled: true 23 | -------------------------------------------------------------------------------- /build/eirini/_vendir/eirini/workloads/core/api-rbac.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: eirini/templates/workloads/core/api-rbac.yml 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | name: eirini-namespaced-role 7 | namespace: cf-workloads 8 | rules: 9 | - apiGroups: 10 | - batch 11 | resources: 12 | - jobs 13 | verbs: 14 | - create 15 | - delete 16 | - apiGroups: 17 | - apps 18 | resources: 19 | - statefulsets 20 | verbs: 21 | - create 22 | - update 23 | - delete 24 | - apiGroups: 25 | - "" 26 | resources: 27 | - pods 28 | verbs: 29 | - delete 30 | - apiGroups: 31 | - policy 32 | resources: 33 | - poddisruptionbudgets 34 | verbs: 35 | - create 36 | - delete 37 | - apiGroups: 38 | - "" 39 | resources: 40 | - secrets 41 | verbs: 42 | - create 43 | - delete 44 | - patch 45 | --- 46 | # Source: eirini/templates/workloads/core/api-rbac.yml 47 | # Bind to the default service account 48 | apiVersion: rbac.authorization.k8s.io/v1 49 | kind: RoleBinding 50 | metadata: 51 | name: eirini-namespaced-rolebinding 52 | namespace: cf-workloads 53 | roleRef: 54 | kind: Role 55 | apiGroup: rbac.authorization.k8s.io 56 | name: eirini-namespaced-role 57 | subjects: 58 | - kind: ServiceAccount 59 | name: eirini-api 60 | namespace: cf-system 61 | -------------------------------------------------------------------------------- /build/eirini/_vendir/eirini/workloads/core/task-reporter-rbac.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: eirini/templates/workloads/core/task-reporter-rbac.yml 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | name: eirini-task-reporter-namespaced 7 | namespace: cf-workloads 8 | rules: 9 | - apiGroups: 10 | - batch 11 | resources: 12 | - jobs 13 | verbs: 14 | - delete 15 | - patch 16 | - apiGroups: 17 | - "" 18 | resources: 19 | - pods 20 | verbs: 21 | - patch 22 | - apiGroups: 23 | - "" 24 | resources: 25 | - secrets 26 | verbs: 27 | - list 28 | - delete 29 | --- 30 | # Source: eirini/templates/workloads/core/task-reporter-rbac.yml 31 | apiVersion: rbac.authorization.k8s.io/v1 32 | kind: RoleBinding 33 | metadata: 34 | name: eirini-task-reporter-namespaced 35 | namespace: cf-workloads 36 | roleRef: 37 | kind: Role 38 | name: eirini-task-reporter-namespaced 39 | apiGroup: rbac.authorization.k8s.io 40 | subjects: 41 | - kind: ServiceAccount 42 | name: eirini-task-reporter 43 | namespace: cf-system 44 | -------------------------------------------------------------------------------- /build/eirini/_vendir/eirini/workloads/events/event-reporter-rbac.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: eirini/templates/workloads/events/event-reporter-rbac.yml 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | name: eirini-event-reporter-namespaced 7 | namespace: cf-workloads 8 | rules: 9 | - apiGroups: 10 | - "" 11 | resources: 12 | - pods 13 | verbs: 14 | - patch 15 | --- 16 | # Source: eirini/templates/workloads/events/event-reporter-rbac.yml 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | kind: RoleBinding 19 | metadata: 20 | name: eirini-event-reporter-namespaced 21 | namespace: cf-workloads 22 | roleRef: 23 | kind: Role 24 | name: eirini-event-reporter-namespaced 25 | apiGroup: rbac.authorization.k8s.io 26 | subjects: 27 | - kind: ServiceAccount 28 | name: eirini-event-reporter 29 | namespace: cf-system 30 | -------------------------------------------------------------------------------- /build/eirini/build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -eu 3 | 4 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)" 5 | 6 | echo "generating Eirini resource definitions..." 7 | ytt --ignore-unknown-comments \ 8 | -f "${SCRIPT_DIR}/_vendir/eirini/core" \ 9 | -f "${SCRIPT_DIR}/_vendir/eirini/events" \ 10 | -f "${SCRIPT_DIR}/_vendir/eirini/workloads" \ 11 | -f "${SCRIPT_DIR}/overlays" | 12 | kbld -f - \ 13 | >"${SCRIPT_DIR}/../../config/eirini/_ytt_lib/eirini/rendered.yml" 14 | -------------------------------------------------------------------------------- /build/eirini/overlays/rename-opi-service-name.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | #@overlay/match by=overlay.subset({"kind": "Service", "metadata":{"name": "eirini-api"}}) 4 | --- 5 | metadata: 6 | #! TODO: PR CAPI release to allow configuration of eirini location 7 | name: eirini 8 | -------------------------------------------------------------------------------- /build/istio/build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -euo pipefail 3 | 4 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 5 | 6 | ${SCRIPT_DIR}/generate.sh "$@" | kbld -f - > "${SCRIPT_DIR}/../../config/istio/istio-generated/xxx-generated-istio.yaml" 7 | 8 | # Save the current Istio version in the networking configs 9 | # NOTE: this project uses python yq module (https://kislyuk.github.io/yq/) 10 | ISTIO_VERSION="$(< "${SCRIPT_DIR}/values.yaml" yq -r .istio_version)" 11 | cat < "${SCRIPT_DIR}/../../config/istio/istio-version.star" 12 | def istio_version(): 13 | return "${ISTIO_VERSION}" 14 | end 15 | EOF 16 | -------------------------------------------------------------------------------- /build/istio/generate.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -euo pipefail 3 | 4 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 5 | # NOTE: this project uses python yq module (https://kislyuk.github.io/yq/) 6 | DESIRED_ISTIO_VERSION=$(< "${SCRIPT_DIR}/values.yaml" yq -r .istio_version) 7 | 8 | set +eu 9 | istioctl_version="$(istioctl version --remote=false)" 10 | if [[ ${istioctl_version} != "${DESIRED_ISTIO_VERSION}" ]]; then 11 | echo "Downloading istioctl version ${DESIRED_ISTIO_VERSION} to tmp" >&2 12 | mkdir -p /tmp/istio >&2 13 | pushd /tmp/istio > /dev/null 14 | curl -s -L https://istio.io/downloadIstio | ISTIO_VERSION=${DESIRED_ISTIO_VERSION} sh - >&2 15 | mv istio-*/bin/istioctl . >&2 16 | popd > /dev/null 17 | 18 | export PATH="/tmp/istio:${PATH}" >&2 19 | fi 20 | set -eu 21 | 22 | echo "generating Istio resource definitions..." >&2 23 | istioctl manifest generate -f "${SCRIPT_DIR}/istioctl-values.yaml" "$@" | \ 24 | ytt --ignore-unknown-comments \ 25 | -f "$SCRIPT_DIR/values.yaml" \ 26 | -f - \ 27 | -f "${SCRIPT_DIR}/overlays" 28 | -------------------------------------------------------------------------------- /build/istio/overlays/add-version-tag.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@ load("@ytt:data", "data") 3 | 4 | #@overlay/match by=overlay.all,expects="1+" 5 | --- 6 | metadata: 7 | #@overlay/match missing_ok=True 8 | labels: 9 | #@overlay/match missing_ok=True 10 | cloudfoundry.org/istio_version: #@ data.values.istio_version 11 | 12 | #@overlay/match by=overlay.subset({"kind":"Deployment"}),expects="1+" 13 | --- 14 | spec: 15 | template: 16 | metadata: 17 | labels: 18 | #@overlay/match missing_ok=True 19 | cloudfoundry.org/istio_version: #@ data.values.istio_version 20 | -------------------------------------------------------------------------------- /build/istio/overlays/ingressgateway-as-root.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@ load("@ytt:data", "data") 3 | 4 | #@ deployment = overlay.subset({"kind": "Deployment", "metadata":{"name":"istio-ingressgateway"}}) 5 | #@ daemonset = overlay.subset({"kind": "DaemonSet", "metadata":{"name":"istio-ingressgateway"}}) 6 | #@ match_ingress_gateway=overlay.or_op(deployment, daemonset) 7 | 8 | #@overlay/match by=match_ingress_gateway 9 | --- 10 | spec: 11 | template: 12 | spec: 13 | #@overlay/replace 14 | securityContext: 15 | runAsNonRoot: false 16 | -------------------------------------------------------------------------------- /build/istio/overlays/ingressgateway-daemonset.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata":{"name":"istio-ingressgateway"}}),expects=1 4 | --- 5 | #@overlay/replace 6 | kind: DaemonSet 7 | spec: 8 | #@overlay/remove 9 | strategy: 10 | #@overlay/match missing_ok=True 11 | updateStrategy: 12 | rollingUpdate: 13 | maxUnavailable: 1 14 | template: 15 | spec: 16 | containers: 17 | #@overlay/match by=overlay.subset({"name":"istio-proxy"}),expects=1 18 | - ports: 19 | #@overlay/match by=overlay.subset({"containerPort":8080}),expects=1 20 | - containerPort: 8080 21 | #@overlay/match missing_ok=True 22 | hostPort: 80 23 | #@overlay/match by=overlay.subset({"containerPort":8443}),expects=1 24 | - containerPort: 8443 25 | #@overlay/match missing_ok=True 26 | hostPort: 443 27 | -------------------------------------------------------------------------------- /build/istio/overlays/ingressgateway-drain.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | #@ daemonset = overlay.subset({"kind": "DaemonSet", "metadata":{"name":"istio-ingressgateway"}}) 4 | #@ deployment = overlay.subset({"kind": "Deployment", "metadata":{"name":"istio-ingressgateway"}}) 5 | #@overlay/match by=overlay.or_op(deployment, daemonset),expects=1 6 | --- 7 | #@overlay/match 8 | spec: 9 | #@overlay/match missing_ok=True 10 | template: 11 | #@overlay/match missing_ok=True 12 | spec: 13 | #@overlay/match missing_ok=True 14 | terminationGracePeriodSeconds: 80 15 | containers: 16 | #@overlay/match by=overlay.subset({"name":"istio-proxy"}),expects=1 17 | - env: 18 | #@overlay/append 19 | - name: TERMINATION_DRAIN_DURATION_SECONDS 20 | value: "60" 21 | #@overlay/match missing_ok=True 22 | lifecycle: 23 | preStop: 24 | exec: 25 | command: 26 | - /bin/bash 27 | - -c 28 | - sleep 20 29 | -------------------------------------------------------------------------------- /build/istio/overlays/istio-system-namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: istio-system 5 | -------------------------------------------------------------------------------- /build/istio/overlays/kapp-compatible.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | #! These overlays are required to make Istio compatible with kapp deploy 4 | 5 | #! PodDisruptionBudget cannot be updated in place, so allow kapp to replace for upgrade 6 | #@overlay/match by=overlay.subset({"kind": "PodDisruptionBudget"}), expects="1+" 7 | --- 8 | metadata: 9 | #@overlay/match missing_ok=True 10 | annotations: 11 | #@overlay/match missing_ok=True 12 | kapp.k14s.io/update-strategy: fallback-on-replace 13 | -------------------------------------------------------------------------------- /build/istio/overlays/mtls-mesh-policy.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | apiVersion: "security.istio.io/v1beta1" 4 | kind: "PeerAuthentication" 5 | metadata: 6 | name: "default" 7 | namespace: istio-system 8 | spec: 9 | mtls: 10 | mode: STRICT 11 | -------------------------------------------------------------------------------- /build/istio/values.yaml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | #! These are data values to parameterize the generated istio installation on its own. 4 | #! The output of the build is a static template. 5 | #! These values cannot be changed later when rendering cf-for-k8s templates. 6 | #! Values related to CF should NOT be in this file. 7 | 8 | istio_version: 1.14.3 9 | 10 | fluentbit: 11 | image: cloudfoundry/cf-k8s-networking-fluentbit@sha256:64d67dc076d4160c351272261d7730c08c1b906a881d1812778b6da93871d4e4 12 | -------------------------------------------------------------------------------- /build/minio/_vendir/stable/minio/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /build/minio/_vendir/stable/minio/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | description: MinIO is a high performance data infrastructure for machine learning, analytics and application data workloads. 3 | name: minio 4 | version: 5.0.30 5 | appVersion: master 6 | keywords: 7 | - storage 8 | - object-storage 9 | - S3 10 | home: https://min.io 11 | icon: https://min.io/resources/img/logo/MINIO_wordmark.png 12 | sources: 13 | - https://github.com/minio/minio 14 | maintainers: 15 | - name: Minio 16 | email: dev@minio.io 17 | - name: Acaleph 18 | email: hello@acale.ph 19 | -------------------------------------------------------------------------------- /build/minio/_vendir/stable/minio/OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - krisis 3 | - harshavardhana 4 | - nitisht 5 | - wlan0 6 | - dvaldivia 7 | reviewers: 8 | - krisis 9 | - harshavardhana 10 | - nitisht 11 | - wlan0 12 | - dvaldivia 13 | 14 | -------------------------------------------------------------------------------- /build/minio/_vendir/stable/minio/ci/distributed-values.yaml: -------------------------------------------------------------------------------- 1 | mode: distributed 2 | -------------------------------------------------------------------------------- /build/minio/_vendir/stable/minio/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "minio.fullname" . }} 5 | labels: 6 | app: {{ template "minio.name" . }} 7 | chart: {{ template "minio.chart" . }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | data: 11 | initialize: |- 12 | {{ include (print $.Template.BasePath "/_helper_create_bucket.txt") . | indent 4 }} 13 | -------------------------------------------------------------------------------- /build/minio/_vendir/stable/minio/templates/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.networkPolicy.enabled }} 2 | kind: NetworkPolicy 3 | apiVersion: {{ template "minio.networkPolicy.apiVersion" . }} 4 | metadata: 5 | name: {{ template "minio.fullname" . }} 6 | labels: 7 | app: {{ template "minio.name" . }} 8 | chart: {{ template "minio.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | spec: 12 | podSelector: 13 | matchLabels: 14 | app: {{ template "minio.name" . }} 15 | release: {{ .Release.Name }} 16 | ingress: 17 | - ports: 18 | - port: {{ .Values.service.port }} 19 | {{- if not .Values.networkPolicy.allowExternal }} 20 | from: 21 | - podSelector: 22 | matchLabels: 23 | {{ template "minio.name" . }}-client: "true" 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /build/minio/_vendir/stable/minio/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: minio 6 | labels: 7 | app: {{ template "minio.name" . }} 8 | spec: 9 | maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} 10 | selector: 11 | matchLabels: 12 | app: {{ template "minio.name" . }} 13 | {{- end }} -------------------------------------------------------------------------------- /build/minio/_vendir/stable/minio/templates/post-install-prometheus-metrics-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | {{- $fullName := include "minio.fullname" . -}} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | name: {{ $fullName }}-update-prometheus-secret 7 | labels: 8 | app: {{ template "minio.name" . }}-update-prometheus-secret 9 | chart: {{ template "minio.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | rules: 13 | - apiGroups: 14 | - "" 15 | resources: 16 | - secrets 17 | verbs: 18 | - get 19 | - create 20 | - update 21 | - patch 22 | resourceNames: 23 | - {{ $fullName }}-prometheus 24 | - apiGroups: 25 | - "" 26 | resources: 27 | - secrets 28 | verbs: 29 | - create 30 | - apiGroups: 31 | - monitoring.coreos.com 32 | resources: 33 | - servicemonitors 34 | verbs: 35 | - get 36 | resourceNames: 37 | - {{ $fullName }} 38 | {{- end -}} -------------------------------------------------------------------------------- /build/minio/_vendir/stable/minio/templates/post-install-prometheus-metrics-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | {{- $fullName := include "minio.fullname" . -}} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: RoleBinding 5 | metadata: 6 | name: {{ $fullName }}-update-prometheus-secret 7 | labels: 8 | app: {{ template "minio.name" . }}-update-prometheus-secret 9 | chart: {{ template "minio.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: Role 15 | name: {{ $fullName }}-update-prometheus-secret 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ $fullName }}-update-prometheus-secret 19 | namespace: {{ .Release.Namespace | quote }} 20 | {{- end -}} -------------------------------------------------------------------------------- /build/minio/_vendir/stable/minio/templates/post-install-prometheus-metrics-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | {{- $fullName := include "minio.fullname" . -}} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ $fullName }}-update-prometheus-secret 7 | labels: 8 | app: {{ template "minio.name" . }}-update-prometheus-secret 9 | chart: {{ template "minio.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | {{- end -}} -------------------------------------------------------------------------------- /build/minio/_vendir/stable/minio/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "standalone" }} 2 | {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: {{ template "minio.fullname" . }} 7 | labels: 8 | app: {{ template "minio.name" . }} 9 | chart: {{ template "minio.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | spec: 13 | {{- if and .Values.nasgateway.enabled .Values.nasgateway.pv }} 14 | selector: 15 | matchLabels: 16 | pv: {{ .Values.nasgateway.pv | quote }} 17 | {{- end }} 18 | accessModes: 19 | - {{ .Values.persistence.accessMode | quote }} 20 | resources: 21 | requests: 22 | storage: {{ .Values.persistence.size | quote }} 23 | 24 | {{- if .Values.persistence.storageClass }} 25 | {{- if (eq "-" .Values.persistence.storageClass) }} 26 | storageClassName: "" 27 | {{- else }} 28 | storageClassName: "{{ .Values.persistence.storageClass }}" 29 | {{- end }} 30 | {{- end }} 31 | {{- if .Values.persistence.VolumeName }} 32 | volumeName: "{{ .Values.persistence.VolumeName }}" 33 | {{- end }} 34 | {{- end }} 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /build/minio/_vendir/stable/minio/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "minio.serviceAccountName" . | quote }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | {{- end -}} 8 | -------------------------------------------------------------------------------- /build/minio/build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -eu 3 | 4 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)" 5 | 6 | echo "Generating Minio resource definitions..." 7 | 8 | helm template cf-blobstore --namespace=cf-blobstore -f "${SCRIPT_DIR}/values.yml" "${SCRIPT_DIR}/_vendir/stable/minio/" | 9 | ytt --ignore-unknown-comments -f - -f "${SCRIPT_DIR}/scrub_default_creds.yml" | 10 | kbld -f "${SCRIPT_DIR}/osl-compliant-image-override.yml" -f - \ 11 | > "${SCRIPT_DIR}/../../config/minio/_ytt_lib/minio/rendered.yml" 12 | -------------------------------------------------------------------------------- /build/minio/osl-compliant-image-override.yml: -------------------------------------------------------------------------------- 1 | apiVersion: kbld.k14s.io/v1alpha1 2 | kind: Config 3 | minimumRequiredVersion: 0.28.0 4 | overrides: 5 | - image: minio/minio:RELEASE.2020-06-14T18-32-17Z 6 | newImage: cloudfoundry/minio-cf-for-k8s@sha256:5cb64001e21d6e3adb05717ca49aca34d52f576cf8365af28860d4afad383ea4 7 | preresolved: true 8 | -------------------------------------------------------------------------------- /build/minio/scrub_default_creds.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | #@overlay/match by=overlay.subset({"kind": "Secret", "metadata": {"name": "cf-blobstore-minio"}}) 4 | --- 5 | data: 6 | accesskey: ~ 7 | secretkey: ~ 8 | -------------------------------------------------------------------------------- /build/minio/values.yml: -------------------------------------------------------------------------------- 1 | DeploymentUpdate: 2 | maxUnavailable: 1 3 | resources: 4 | requests: 5 | memory: 256Mi 6 | cpu: 250m 7 | persistence: 8 | size: 10Gi 9 | -------------------------------------------------------------------------------- /build/postgres/_vendir/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019 Bitnami 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: postgresql 3 | version: 8.10.6 4 | appVersion: 11.8.0 5 | description: Chart for PostgreSQL, an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance. 6 | keywords: 7 | - postgresql 8 | - postgres 9 | - database 10 | - sql 11 | - replication 12 | - cluster 13 | home: https://www.postgresql.org/ 14 | icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-110x117.png 15 | sources: 16 | - https://github.com/bitnami/bitnami-docker-postgresql 17 | maintainers: 18 | - name: Bitnami 19 | email: containers@bitnami.com 20 | - name: desaintmartin 21 | email: cedric@desaintmartin.fr 22 | engine: gotpl 23 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/ci/commonAnnotations.yaml: -------------------------------------------------------------------------------- 1 | commonAnnotations: 2 | helm.sh/hook: "pre-install, pre-upgrade" 3 | helm.sh/hook-weight: "-1" 4 | 5 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/ci/default-values.yaml: -------------------------------------------------------------------------------- 1 | # Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. 2 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/ci/shmvolume-disabled-values.yaml: -------------------------------------------------------------------------------- 1 | shmVolume: 2 | enabled: false 3 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/files/README.md: -------------------------------------------------------------------------------- 1 | Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map. 2 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/files/conf.d/README.md: -------------------------------------------------------------------------------- 1 | If you don't want to provide the whole configuration file and only specify certain parameters, you can copy here your extended `.conf` files. 2 | These files will be injected as a config maps and add/overwrite the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. 3 | 4 | More info in the [bitnami-docker-postgresql README](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file). 5 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/files/docker-entrypoint-initdb.d/README.md: -------------------------------------------------------------------------------- 1 | You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image. 2 | 3 | More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository. -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/templates/extended-config-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf) (not .Values.extendedConfConfigMap)}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "postgresql.fullname" . }}-extended-configuration 6 | labels: 7 | app: {{ template "postgresql.name" . }} 8 | chart: {{ template "postgresql.chart" . }} 9 | release: {{ .Release.Name | quote }} 10 | heritage: {{ .Release.Service | quote }} 11 | {{- if .Values.commonAnnotations }} 12 | annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} 13 | {{- end }} 14 | data: 15 | {{- with .Files.Glob "files/conf.d/*.conf" }} 16 | {{ .AsConfig | indent 2 }} 17 | {{- end }} 18 | {{ with .Values.postgresqlExtendedConf }} 19 | override.conf: | 20 | {{- range $key, $value := . }} 21 | {{ $key | snakecase }}={{ $value }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/templates/initialization-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScripts) (not .Values.initdbScriptsConfigMap) }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "postgresql.fullname" . }}-init-scripts 6 | labels: 7 | app: {{ template "postgresql.name" . }} 8 | chart: {{ template "postgresql.chart" . }} 9 | release: {{ .Release.Name | quote }} 10 | heritage: {{ .Release.Service | quote }} 11 | {{- if .Values.commonAnnotations }} 12 | annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} 13 | {{- end }} 14 | {{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }} 15 | binaryData: 16 | {{- range $path, $bytes := . }} 17 | {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} 18 | {{- end }} 19 | {{- end }} 20 | data: 21 | {{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql}" }} 22 | {{ .AsConfig | indent 2 }} 23 | {{- end }} 24 | {{- with .Values.initdbScripts }} 25 | {{ toYaml . | indent 2 }} 26 | {{- end }} 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/templates/metrics-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "postgresql.metricsCM" . }} 6 | labels: 7 | app: {{ template "postgresql.name" . }} 8 | chart: {{ template "postgresql.chart" . }} 9 | release: {{ .Release.Name | quote }} 10 | heritage: {{ .Release.Service | quote }} 11 | {{- if .Values.commonAnnotations }} 12 | annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} 13 | {{- end }} 14 | data: 15 | custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/templates/metrics-svc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.metrics.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "postgresql.fullname" . }}-metrics 6 | labels: 7 | app: {{ template "postgresql.name" . }} 8 | chart: {{ template "postgresql.chart" . }} 9 | release: {{ .Release.Name | quote }} 10 | heritage: {{ .Release.Service | quote }} 11 | annotations: 12 | {{- if .Values.commonAnnotations }} 13 | {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} 14 | {{- end }} 15 | {{- toYaml .Values.metrics.service.annotations | nindent 4 }} 16 | spec: 17 | type: {{ .Values.metrics.service.type }} 18 | {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} 19 | loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} 20 | {{- end }} 21 | ports: 22 | - name: http-metrics 23 | port: 9187 24 | targetPort: http-metrics 25 | selector: 26 | app: {{ template "postgresql.name" . }} 27 | release: {{ .Release.Name }} 28 | role: master 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/templates/podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.psp.create }} 2 | apiVersion: {{ include "podsecuritypolicy.apiVersion" . }} 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "postgresql.fullname" . }} 6 | labels: 7 | app: {{ template "postgresql.name" . }} 8 | chart: {{ template "postgresql.chart" . }} 9 | release: {{ .Release.Name | quote }} 10 | heritage: {{ .Release.Service | quote }} 11 | {{- if .Values.commonAnnotations }} 12 | annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} 13 | {{- end }} 14 | spec: 15 | privileged: false 16 | volumes: 17 | - 'configMap' 18 | - 'secret' 19 | - 'persistentVolumeClaim' 20 | - 'emptyDir' 21 | - 'projected' 22 | hostNetwork: false 23 | hostIPC: false 24 | hostPID: false 25 | runAsUser: 26 | rule: 'MustRunAsNonRoot' 27 | seLinux: 28 | rule: 'RunAsAny' 29 | supplementalGroups: 30 | rule: 'MustRunAs' 31 | ranges: 32 | - min: 1 33 | max: 65535 34 | fsGroup: 35 | rule: 'MustRunAs' 36 | ranges: 37 | - min: 1 38 | max: 65535 39 | readOnlyRootFilesystem: false 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/templates/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: {{ template "postgresql.fullname" . }} 6 | {{- with .Values.metrics.prometheusRule.namespace }} 7 | namespace: {{ . }} 8 | {{- end }} 9 | labels: 10 | app: {{ template "postgresql.name" . }} 11 | chart: {{ template "postgresql.chart" . }} 12 | release: {{ .Release.Name | quote }} 13 | heritage: {{ .Release.Service | quote }} 14 | {{- with .Values.metrics.prometheusRule.additionalLabels }} 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | {{- if .Values.commonAnnotations }} 18 | annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} 19 | {{- end }} 20 | spec: 21 | {{- with .Values.metrics.prometheusRule.rules }} 22 | groups: 23 | - name: {{ template "postgresql.name" $ }} 24 | rules: {{ tpl (toYaml .) $ | nindent 8 }} 25 | {{- end }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/templates/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create }} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "postgresql.fullname" . }} 6 | labels: 7 | app: {{ template "postgresql.name" . }} 8 | chart: {{ template "postgresql.chart" . }} 9 | release: {{ .Release.Name | quote }} 10 | heritage: {{ .Release.Service | quote }} 11 | {{- if .Values.commonAnnotations }} 12 | annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} 13 | {{- end }} 14 | rules: 15 | {{- if .Values.psp.create }} 16 | - apiGroups: ["extensions"] 17 | resources: ["podsecuritypolicies"] 18 | verbs: ["use"] 19 | resourceNames: 20 | - {{ template "postgresql.fullname" . }} 21 | {{- end }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create }} 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "postgresql.fullname" . }} 6 | labels: 7 | app: {{ template "postgresql.name" . }} 8 | chart: {{ template "postgresql.chart" . }} 9 | release: {{ .Release.Name | quote }} 10 | heritage: {{ .Release.Service | quote }} 11 | {{- if .Values.commonAnnotations }} 12 | annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} 13 | {{- end }} 14 | roleRef: 15 | kind: Role 16 | name: {{ template "postgresql.fullname" . }} 17 | apiGroup: rbac.authorization.k8s.io 18 | subjects: 19 | - kind: ServiceAccount 20 | name: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }} 21 | namespace: {{ .Release.Namespace }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- if (include "postgresql.createSecret" .) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ template "postgresql.fullname" . }} 6 | labels: 7 | app: {{ template "postgresql.name" . }} 8 | chart: {{ template "postgresql.chart" . }} 9 | release: {{ .Release.Name | quote }} 10 | heritage: {{ .Release.Service | quote }} 11 | {{- if .Values.commonAnnotations }} 12 | annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} 13 | {{- end }} 14 | type: Opaque 15 | data: 16 | {{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }} 17 | postgresql-postgres-password: {{ include "postgresql.postgres.password" . | b64enc | quote }} 18 | {{- end }} 19 | postgresql-password: {{ include "postgresql.password" . | b64enc | quote }} 20 | {{- if .Values.replication.enabled }} 21 | postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }} 22 | {{- end }} 23 | {{- if (and .Values.ldap.enabled .Values.ldap.bind_password)}} 24 | postgresql-ldap-password: {{ .Values.ldap.bind_password | b64enc | quote }} 25 | {{- end }} 26 | {{- end -}} 27 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | app: {{ template "postgresql.name" . }} 7 | chart: {{ template "postgresql.chart" . }} 8 | release: {{ .Release.Name | quote }} 9 | heritage: {{ .Release.Service | quote }} 10 | name: {{ template "postgresql.fullname" . }} 11 | {{- if .Values.commonAnnotations }} 12 | annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} 13 | {{- end }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /build/postgres/_vendir/bitnami/postgresql/templates/svc-headless.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "postgresql.fullname" . }}-headless 5 | labels: 6 | app: {{ template "postgresql.name" . }} 7 | chart: {{ template "postgresql.chart" . }} 8 | release: {{ .Release.Name | quote }} 9 | heritage: {{ .Release.Service | quote }} 10 | {{- if .Values.commonAnnotations }} 11 | annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} 12 | {{- end }} 13 | spec: 14 | type: ClusterIP 15 | clusterIP: None 16 | ports: 17 | - name: tcp-postgresql 18 | port: {{ template "postgresql.port" . }} 19 | targetPort: tcp-postgresql 20 | selector: 21 | app: {{ template "postgresql.name" . }} 22 | release: {{ .Release.Name | quote }} 23 | -------------------------------------------------------------------------------- /build/postgres/build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -eu 3 | 4 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)" 5 | 6 | echo "generating Postgresql resource definitions..." 7 | helm template cf-db --namespace=cf-db "${SCRIPT_DIR}/_vendir/bitnami/postgresql" \ 8 | --values="${SCRIPT_DIR}/init-db-values.yml" | 9 | ytt --ignore-unknown-comments -f - | 10 | kbld -f - > "${SCRIPT_DIR}/../../config/postgres/_ytt_lib/postgres/rendered.yml" 11 | -------------------------------------------------------------------------------- /build/postgres/init-db-values.yml: -------------------------------------------------------------------------------- 1 | initdbScripts: 2 | init.sh: "" 3 | initdbScriptsSecret: cf-db-credentials 4 | existingSecret: cf-db-admin-secret 5 | -------------------------------------------------------------------------------- /build/quarks-secret/_vendir/NOTICE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019-Present CloudFoundry.org Foundation, Inc. All Rights Reserved. 2 | This project is licensed to you under the Apache License, Version 2.0 (the "License"). 3 | You may not use this project except in compliance with the License. 4 | 5 | This project may include a number of subcomponents with separate copyright notices 6 | and license terms. Your use of these subcomponents is subject to the terms and 7 | conditions of the subcomponent's license, as noted in the LICENSE file. 8 | -------------------------------------------------------------------------------- /build/quarks-secret/_vendir/deploy/helm/quarks-secret/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /build/quarks-secret/_vendir/deploy/helm/quarks-secret/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: quarks-secret 3 | version: 0.0.0 4 | appVersion: 0.0.0 5 | description: A Helm chart for quarks-secret, a k8s operator to create secrets 6 | home: https://github.com/cloudfoundry-incubator/quarks-secret 7 | icon: https://cloudfoundry-incubator.github.io/quarks-helm/logo.png 8 | keywords: 9 | - quarks 10 | - secret 11 | - rotation 12 | sources: 13 | - https://github.com/cloudfoundry-incubator/quarks-secret 14 | maintainers: 15 | - name: project-quarks 16 | email: project-quarks@googlegroups.com 17 | -------------------------------------------------------------------------------- /build/quarks-secret/_vendir/deploy/helm/quarks-secret/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Running the operator will install the following CRD: 2 | 3 | - quarkssecrets.quarks.cloudfoundry.org 4 | 5 | You can always verify if the CRD´s are installed, by running: 6 | $ kubectl get crds 7 | 8 | 9 | 10 | {{- if and .Release.IsInstall }} 11 | 12 | Interacting with the quarks-secret pod 13 | 14 | 1. Check the quarks-secret pod status 15 | kubectl -n {{ .Release.Namespace }} get pods 16 | 17 | 2. Tail the quarks-secret pod logs 18 | export OPERATOR_POD=$(kubectl get pods -l name=quarks-secret --namespace {{ .Release.Namespace }} --output name) 19 | kubectl -n {{ .Release.Namespace }} logs $OPERATOR_POD -f 20 | 21 | 3. Label a namespace so it will be watched for quarks-secret CRDs 22 | 23 | kubectl patch namespace {{ .Release.Namespace }} --type=json -p '[{"op": "add", "path": "/metadata/labels", "value": {"quarks.cloudfoundry.org/monitored": "{{ template "quarks-secret.monitoredID" . }}"}}]' 24 | 25 | 4. Apply one of the Quarks Secret examples to that namespace 26 | kubectl -n {{ .Release.Namespace }} create -f docs/examples/password.yaml 27 | 28 | 5. See the quarks-secret in action! 29 | kubectl -n {{ .Release.Namespace }} get secret --watch 30 | 31 | {{- end -}} 32 | -------------------------------------------------------------------------------- /build/quarks-secret/_vendir/deploy/helm/quarks-secret/templates/service-account-pull-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.image.credentials }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | type: kubernetes.io/dockerconfigjson 6 | metadata: 7 | name: {{ template "quarks-secret.serviceAccountName" . }}-pull-secret 8 | namespace: {{ .Release.Namespace }} 9 | data: 10 | .dockerconfigjson: {{ printf "{%q:{%q:{%q:%q,%q:%q,%q:%q}}}" "auths" .Values.global.image.credentials.servername "username" .Values.global.image.credentials.username "password" .Values.global.image.credentials.password "auth" (printf "%s:%s" .Values.global.image.credentials.username .Values.global.image.credentials.password | b64enc) | b64enc }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /build/quarks-secret/_vendir/deploy/helm/quarks-secret/templates/service-account.yaml: -------------------------------------------------------------------------------- 1 | {{- if or .Values.serviceAccount.create .Values.global.rbac.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "quarks-secret.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | {{- if .Values.global.image.credentials }} 8 | imagePullSecrets: 9 | - name: {{ template "quarks-secret.serviceAccountName" . }}-pull-secret 10 | {{- end }} 11 | {{- end }} 12 | 13 | {{- if .Values.global.rbac.create }} 14 | --- 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: ClusterRoleBinding 17 | metadata: 18 | name: {{ template "quarks-secret.fullname" . }} 19 | roleRef: 20 | kind: ClusterRole 21 | name: {{ template "quarks-secret.fullname" . }} 22 | apiGroup: rbac.authorization.k8s.io 23 | subjects: 24 | - kind: ServiceAccount 25 | name: {{ template "quarks-secret.serviceAccountName" . }} 26 | namespace: "{{ .Release.Namespace }}" 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /build/quarks-secret/build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -eu 3 | 4 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)" 5 | 6 | echo "generating QuarksSecret resource definitions..." 7 | 8 | helm template cf-quarks-secret --namespace=cf-system "${SCRIPT_DIR}/_vendir/deploy/helm/quarks-secret" \ 9 | --values="${SCRIPT_DIR}/quarks-values.yaml" | 10 | ytt --ignore-unknown-comments -f - | 11 | kbld -f "${SCRIPT_DIR}/image-override.yml" -f - > "${SCRIPT_DIR}/../../config/quarks-secret/_ytt_lib/quarks-secret/rendered.yml" 12 | -------------------------------------------------------------------------------- /build/quarks-secret/image-override.yml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: kbld.k14s.io/v1alpha1 3 | kind: Config 4 | minimumRequiredVersion: 0.28.0 5 | overrides: 6 | - image: ghcr.io/cloudfoundry-incubator/uarks-secret:v1.0.758 7 | newImage: ghcr.io/cloudfoundry-incubator/quarks-secret@sha256:265adf83e2f4ccef62b2c93999fe830c783d92ad2e703ff1c21c20d6ecbf357e 8 | preresolved: true 9 | -------------------------------------------------------------------------------- /build/quarks-secret/quarks-values.yaml: -------------------------------------------------------------------------------- 1 | fullnameOverride: cf-quarks-secret 2 | 3 | image: 4 | repository: quarks-secret 5 | org: ghcr.io/cloudfoundry-incubator 6 | tag: v1.0.758 7 | 8 | global: 9 | monitoredID: cf-quarks-secret 10 | 11 | applyCRD: false 12 | -------------------------------------------------------------------------------- /ci/configure: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | export PROJECT_DIR="$(cd $(dirname $0)/.. && pwd)" 6 | 7 | function main() { 8 | local PIPELINE=${1} 9 | 10 | if [[ -r "${PROJECT_DIR}/ci/templates/${PIPELINE}.yml" ]]; then 11 | cat > "${PROJECT_DIR}/ci/pipelines/${PIPELINE}.yml" <> "${PROJECT_DIR}/ci/pipelines/${PIPELINE}.yml" 23 | fi 24 | 25 | if [[ ! -r "${PROJECT_DIR}/ci/pipelines/${PIPELINE}.yml" ]]; then 26 | echo "Invalid pipeline: ${PIPELINE}." 27 | exit 1 28 | fi 29 | 30 | fly -t relint-ci sp -p "${PIPELINE}" -c "${PROJECT_DIR}/ci/pipelines/${PIPELINE}.yml" 31 | } 32 | 33 | main "$@" 34 | -------------------------------------------------------------------------------- /ci/dockerfiles/cf-for-k8s-deplab/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM bash:latest 2 | 3 | RUN apk update && apk add jq 4 | 5 | # deplab 6 | RUN latest_deplab_version=$(wget -O - "https://api.github.com/repos/vmware-tanzu/dependency-labeler/releases/latest" | \ 7 | jq -r '.tag_name') && \ 8 | echo "Installing deplab version ${latest_deplab_version}..." && \ 9 | wget \ 10 | https://github.com/vmware-tanzu/dependency-labeler/releases/download/${latest_deplab_version}/deplab-linux-amd64 \ 11 | -O /usr/local/bin/deplab && \ 12 | chmod +x /usr/local/bin/deplab 13 | -------------------------------------------------------------------------------- /ci/dockerfiles/cf-for-k8s-dind/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:xenial 2 | 3 | ENV PACK_VERSION="v0.18.1" 4 | ENV KBLD_VERSION="v0.29.0" 5 | ENV YTT_VERSION="v0.32.0" 6 | ENV VENDIR_VERSION="v0.19.0" 7 | 8 | RUN apt-get update 9 | RUN apt-get install -y --no-install-recommends \ 10 | apt-transport-https \ 11 | ca-certificates \ 12 | curl \ 13 | dmsetup \ 14 | git \ 15 | jq \ 16 | openssh-client \ 17 | python3-pip \ 18 | python3-setuptools \ 19 | software-properties-common 20 | 21 | RUN pip3 install yq 22 | 23 | RUN wget -O- --tries=3 https://carvel.dev/install.sh | bash 24 | 25 | ADD install-docker.sh /tmp/install-docker.sh 26 | RUN /tmp/install-docker.sh 27 | 28 | COPY start-docker.sh /usr/local/bin/start-docker 29 | RUN chmod +x /usr/local/bin/start-docker 30 | 31 | RUN curl -LO "https://github.com/buildpacks/pack/releases/download/${PACK_VERSION}/pack-${PACK_VERSION}-linux.tgz" && \ 32 | tar xvf "pack-${PACK_VERSION}-linux.tgz" && \ 33 | mv pack /usr/local/bin/pack && \ 34 | rm "pack-${PACK_VERSION}-linux.tgz" 35 | 36 | VOLUME /var/lib/docker 37 | -------------------------------------------------------------------------------- /ci/dockerfiles/cf-for-k8s-dind/go-version: -------------------------------------------------------------------------------- 1 | 1.13.9 2 | -------------------------------------------------------------------------------- /ci/dockerfiles/cf-for-k8s-dind/install-docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu -o pipefail 4 | 5 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - 6 | 7 | add-apt-repository \ 8 | "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ 9 | $(lsb_release -cs) \ 10 | stable" 11 | 12 | apt-get update 13 | 14 | apt-get install -y --no-install-recommends docker-ce docker-ce-cli containerd.io 15 | 16 | rm -rf /var/lib/apt/lists/* 17 | -------------------------------------------------------------------------------- /ci/dockerfiles/cf-for-k8s-gh-pages/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | 3 | RUN apt-get update && apt-get install -y curl wget git 4 | 5 | RUN curl -s https://api.github.com/repos/gohugoio/hugo/releases/latest \ 6 | | grep browser_download_url \ 7 | | grep "extended_.*_Linux-64bit.tar.gz" \ 8 | | cut -d "\"" -f 4 \ 9 | | wget -qi - 10 | 11 | RUN tar -xzvf $(find . -name "hugo_extended_*") 12 | 13 | RUN mv ./hugo /usr/local/bin/hugo -------------------------------------------------------------------------------- /ci/helpers/auth-to-gcp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -eou pipefail 3 | 4 | vm_name=$(jq -r '.vm_name' terraform/metadata) 5 | user_host="tester@${vm_name}" 6 | echo ${GCP_KEY} > gcp-service-account.json 7 | gcloud config set project "${GCP_PROJECT_NAME}" 8 | gcloud auth activate-service-account --key-file=gcp-service-account.json >/dev/null 2>&1 9 | gcloud components install beta -q 10 | mkdir $HOME/.ssh 11 | chmod 0700 $HOME/.ssh 12 | jq -r '.vm_ssh_private_key' terraform/metadata > $HOME/.ssh/google_compute_engine 13 | jq -r '.vm_ssh_public_key' terraform/metadata > $HOME/.ssh/google_compute_engine.pub 14 | chmod 0600 $HOME/.ssh/google_compute_engine -------------------------------------------------------------------------------- /ci/helpers/env-git.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | commit-long-lived-sli-cf-vars() { 4 | 5 | cp -r relint-envs/. relint-envs-updated 6 | mkdir -p relint-envs-updated/k8s-environments/long-lived-sli 7 | cf_vars_rel_path="k8s-environments/long-lived-sli/cf-vars.yaml" 8 | cf_values_rel_path="k8s-environments/long-lived-sli/cf-values.yaml" 9 | cp "/tmp/${DNS_DOMAIN}/cf-vars.yaml" relint-envs-updated/${cf_vars_rel_path} 10 | cp "cf-install-values.yml" relint-envs-updated/${cf_values_rel_path} 11 | 12 | pushd relint-envs-updated > /dev/null 13 | set +e 14 | git diff --exit-code ${cf_values_rel_path} ${cf_vars_rel_path} > /dev/null 15 | error_code=$? 16 | set -e 17 | 18 | if [[ ${error_code} != 0 ]]; then 19 | echo "Committing changes to relint-envs long-lived sli values & vars" 20 | git config user.email "cf-release-integration@pivotal.io" 21 | git config user.name "relint-ci" 22 | git add . 23 | git commit -m "Update long-lived environment" 24 | fi 25 | 26 | popd > /dev/null 27 | } 28 | -------------------------------------------------------------------------------- /ci/helpers/gke.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | gcloud_auth() { 4 | local cluster_name=$1 5 | 6 | export KUBECONFIG=kube-config.yml 7 | echo ${GCP_SERVICE_ACCOUNT_JSON} > gcp-service-account.json 8 | gcloud auth activate-service-account --key-file=gcp-service-account.json --project=${GCP_PROJECT_NAME} >/dev/null 2>&1 9 | gcloud container clusters get-credentials "${cluster_name}" --zone ${GCP_PROJECT_ZONE} >/dev/null 2>&1 10 | 11 | } 12 | -------------------------------------------------------------------------------- /ci/helpers/uptimer-config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | function write_uptimer_deploy_config { 4 | password="$1" 5 | manifest="$2" 6 | cat < /tmp/uptimer-config.json 7 | { 8 | "while": [ 9 | { 10 | "command": "kapp", 11 | "command_args": ["deploy", "-a", "cf", "-f", "${manifest}", "-y"] 12 | } 13 | ], 14 | "cf": { 15 | "api": "api.${DNS_DOMAIN}", 16 | "app_domain": "apps.${DNS_DOMAIN}", 17 | "admin_user": "admin", 18 | "admin_password": "${password}", 19 | "tcp_domain": "tcp.${DNS_DOMAIN}", 20 | "use_single_app_instance": false, 21 | "available_port": 1025 22 | }, 23 | "optional_tests": { 24 | "run_app_syslog_availability": false 25 | }, 26 | "allowed_failures": { 27 | "app_pushability": 100, 28 | "http_availability": 0, 29 | "recent_logs": 100, 30 | "streaming_logs": 100, 31 | "app_syslog_availability": 100 32 | } 33 | } 34 | EOF 35 | } 36 | -------------------------------------------------------------------------------- /ci/inputs/build-eirini-images.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | foo: bar 4 | -------------------------------------------------------------------------------- /ci/pipelines/build-statsd-exporter-image.md: -------------------------------------------------------------------------------- 1 | # build-statsd-exporter-image 2 | 3 | ## Purpose 4 | This pipeline builds the statsd exporter image that is a dependency of multiple cf-for-k8s components: capi-k8s-release and uaa. 5 | 6 | ## Image building 7 | This pipeline builds using the concourse [oci-build-task](https://github.com/vito/oci-build-task). We also use this task to annotate the image with OCI labels. 8 | 9 | ## Pipeline management 10 | 11 | This pipeline is managed directly via the `ci/pipelines/build-statsd-exporter-image.yml` concourse pipeline template. To make changes to the pipeline, update the file directly, then run the `ci/configure` script to apply the changes with the [fly cli](https://concourse-ci.org/fly.html). 12 | -------------------------------------------------------------------------------- /ci/pipelines/cf-for-k8s-dev-tooling.md: -------------------------------------------------------------------------------- 1 | # cf-for-k8s-dev-tooling 2 | 3 | ## Purpose 4 | ### Long-lived SLI Cluster 5 | Deploys the GKE cluster used in `cf-for-k8s-stability-tests` pipeline 6 | 7 | ### Docker Images 8 | Builds docker images used by CI: 9 | - `cf-for-k8s-ci` - used throughout Concourse pipelines 10 | - `cf-for-k8s-aws` - has AWS CLI and IAM authenticator 11 | - `cf-for-k8s-dind` - for situations where we need to run Docker inside Docker (i.e. dind) 12 | - `cf-for-k8s-azure` - has Azure CLI 13 | - `cf-for-k8s-deplab` - has deplab installed 14 | - `cf-for-k8s-gh-pages` - has hugo for building docs 15 | - `cf-k8s-networking-integration` - has tools for running network integration tests, including ginkgo, kubectl, k9s, etc. Stored under the `cf-k8s-networking-integration` tag of the `cf-for-k8s-dind` image 16 | 17 | ### RDS Databases 18 | Creates and destroys the rds database used by the validate-rds job in the cf-for-k8s-main pipeline. 19 | -------------------------------------------------------------------------------- /ci/pipelines/cf-for-k8s-iaas-tests.md: -------------------------------------------------------------------------------- 1 | # cf-for-k8s-iaas-tests 2 | 3 | ## Purpose 4 | 5 | This pipeline provides compatibility information for cf-for-k8s across Kubernetes providers that are not directly supported and validated by the main cf-for-k8s pipelines. At this time, those are: [EKS](https://aws.amazon.com/eks), [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), and [Minikube](https://github.com/kubernetes/minikube) running on a [GCE](https://cloud.google.com/compute) virtual machine. 6 | 7 | ## Validation Strategy 8 | 9 | For each IaaS provider, we keep [Terraform Kubernetes Provider](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs) configuration in the `/deploy` directory of cf-for-k8s. Using these templates, we dynamically provision a Kubernetes environment, install cf-for-k8s, run the smoke-tests in cf-for-k8s, run a subset of [cf-acceptance-tests](https://github.com/cloudfoundry/cf-acceptance-tests), and tear down the environment. We run the jobs in this pipeline informationally on a daily cadence. 10 | -------------------------------------------------------------------------------- /ci/pipelines/cf-for-k8s-stability-tests.md: -------------------------------------------------------------------------------- 1 | # cf-for-k8s-stability-tests 2 | 3 | ## Purpose 4 | All jobs use `long-lived-sli` cluster created by the `cf-for-k8s-dev-tooling` pipeline. 5 | 6 | ### Long-lived environment 7 | Updated with the latest from `cf-for-k8s` main every weeknight 8 | 9 | ### SLIs 10 | Run smoke tests every minute and emit success/failure metrics to Wavefront 11 | 12 | ### Validate value rotation and upgrade 13 | Runs every weeknight. Updates the `cf-for-k8s` deployment with rotated values (for all that are safe to rotate) and 14 | confirms the result passes smoke tests and that previously-pushed apps are still running. 15 | 16 | -------------------------------------------------------------------------------- /ci/pipelines/cf-for-k8s-update-gh-pages.md: -------------------------------------------------------------------------------- 1 | # cf-for-k8s-update-gh-pages 2 | 3 | ## Purpose 4 | Updates the [cf-for-k8s docs site](https://cf-for-k8s.io/). Uses [hugo](https://github.com/gohugoio/hugo) to generate 5 | docs pages from the [cloudfoundry/cf-for-k8s-docs](https://github.com/cloudfoundry/cf-for-k8s-docs) repo and push them 6 | to the `gh-pages` branch, which is configured on GitHub to automatically update the docs site. 7 | -------------------------------------------------------------------------------- /ci/tasks/build-statsd-exporter-image/task.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | 4 | trap "pkill dockerd" EXIT 5 | 6 | start-docker & 7 | echo 'until docker info; do sleep 5; done' >/usr/local/bin/wait_for_docker 8 | chmod +x /usr/local/bin/wait_for_docker 9 | timeout 300 wait_for_docker 10 | 11 | <<<"$DOCKERHUB_PASSWORD" docker login --username "$DOCKERHUB_USERNAME" --password-stdin 12 | 13 | pushd cf-for-k8s-images/images/build/statsd-exporter > /dev/null 14 | ./build.sh 15 | popd > /dev/null 16 | 17 | # image_ref="$(yq -r '.overrides[] | select(.image | test("/statsd_exporter-cf-for-k8s")).newImage' images/build/statsd-exporter/kbld.lock.yml)" 18 | # sed -i'' -e "s| metric_proxy:.*| metric_proxy: \"$image_ref\"|" metric-proxy/config/values/images.yml 19 | -------------------------------------------------------------------------------- /ci/tasks/build-statsd-exporter-image/task.yml: -------------------------------------------------------------------------------- 1 | platform: linux 2 | 3 | image_resource: 4 | type: docker-image 5 | source: 6 | repository: cloudfoundry/cf-for-k8s-dind 7 | 8 | params: 9 | DOCKERHUB_USERNAME: ((dockerhub.username)) 10 | DOCKERHUB_PASSWORD: ((dockerhub.password)) 11 | GIT_COMMIT_EMAIL: cf-release-integration@pivotal.io 12 | GIT_COMMIT_USERNAME: "relint-ci" 13 | 14 | inputs: 15 | - name: cf-for-k8s-ci 16 | - name: cf-for-k8s-images 17 | - name: statsd_exporter 18 | 19 | run: 20 | path: cf-for-k8s-ci/ci/tasks/build-statsd-exporter-image/task.sh 21 | -------------------------------------------------------------------------------- /ci/tasks/bump-buildpacks/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s-ci 11 | - name: cf-for-k8s-develop 12 | - name: ruby-buildpack 13 | - name: python-buildpack 14 | - name: java-buildpack 15 | - name: nodejs-buildpack 16 | - name: go-buildpack 17 | - name: dotnet-core-buildpack 18 | - name: php-buildpack 19 | - name: procfile-buildpack 20 | - name: cf-for-k8s-develop 21 | 22 | outputs: 23 | - name: cf-for-k8s-bumped 24 | 25 | run: 26 | path: cf-for-k8s-ci/ci/tasks/bump-buildpacks/task.sh 27 | -------------------------------------------------------------------------------- /ci/tasks/bump-core-component/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s-ci 11 | - name: cf-for-k8s-develop 12 | - name: release 13 | 14 | outputs: 15 | - name: cf-for-k8s-bump 16 | 17 | params: 18 | BUILD_DIR: "" 19 | GITHUB_RELEASE: 20 | REPO_NAME: 21 | VENDIR_GITHUB_API_TOKEN: 22 | VENDIR_GITHUB_RELEASE: 23 | 24 | run: 25 | path: cf-for-k8s-ci/ci/tasks/bump-core-component/task.sh 26 | -------------------------------------------------------------------------------- /ci/tasks/bump-stack/task.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | BUILD_IMAGE_SHA=$(cat build-image/digest) 6 | RUN_IMAGE_SHA=$(cat run-image/digest) 7 | 8 | pushd cf-for-k8s-develop 9 | sed -i -e "s|^ image: \"index.docker.io/paketobuildpacks/build@.*\"$| image: \"index.docker.io/paketobuildpacks/build@${BUILD_IMAGE_SHA}\"| w /dev/stdout" config/kpack/default-buildpacks.yml 10 | sed -i -e "s|^ image: \"index.docker.io/paketobuildpacks/run@.*\"$| image: \"index.docker.io/paketobuildpacks/run@${RUN_IMAGE_SHA}\"| w /dev/stdout" config/kpack/default-buildpacks.yml 11 | 12 | git config user.email "cf-release-integration@pivotal.io" 13 | git config user.name "relint-ci" 14 | git add . 15 | 16 | git diff-index --quiet HEAD || git commit -m "Autobump stack images" 17 | popd 18 | mkdir -p cf-for-k8s-bumped 19 | cp -R cf-for-k8s-develop/. cf-for-k8s-bumped/ 20 | -------------------------------------------------------------------------------- /ci/tasks/bump-stack/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s-ci 11 | - name: cf-for-k8s-develop 12 | - name: build-image 13 | - name: run-image 14 | 15 | outputs: 16 | - name: cf-for-k8s-bumped 17 | 18 | run: 19 | path: cf-for-k8s-ci/ci/tasks/bump-stack/task.sh 20 | -------------------------------------------------------------------------------- /ci/tasks/check-pool-size/task.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -eu 3 | 4 | ready_pool_name="k8s-dev/ready" 5 | pool_dir="pool-repo" 6 | 7 | ready_count="$(find "${pool_dir}/${ready_pool_name}/unclaimed" -not -path '*/\.*' -type f | wc -l)" 8 | echo "Unclaimed ready envs: ${ready_count}" 9 | 10 | if [[ "${ready_count}" -lt "${POOL_SIZE_BUFFER_TARGET}" ]]; then 11 | echo "Fewer than ${POOL_SIZE_BUFFER_TARGET} envs are currently ready, going to trigger creation..." 12 | exit 1 13 | else 14 | echo "Minimum pool size of ${POOL_SIZE_BUFFER_TARGET} satisfied." 15 | exit 0 16 | fi 17 | -------------------------------------------------------------------------------- /ci/tasks/check-pool-size/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-deployment-concourse-tasks 8 | 9 | inputs: 10 | - name: pool-repo 11 | - name: cf-for-k8s-develop-ci 12 | 13 | params: 14 | POOL_SIZE_BUFFER_TARGET: 15 | 16 | run: 17 | path: cf-for-k8s-develop-ci/ci/tasks/check-pool-size/task.sh 18 | -------------------------------------------------------------------------------- /ci/tasks/check-values-interface/task.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | function main() { 6 | local cwd="$1" 7 | 8 | local release_candidate_version 9 | release_candidate_version="v$(cat cf-for-k8s-rc-version/version)" 10 | 11 | local last_release_version 12 | last_release_version=$(curl --silent "https://api.github.com/repos/cloudfoundry/cf-for-k8s/releases/latest" | jq -r .tag_name) 13 | 14 | echo "Checking values interface for ${last_release_version} ---> ${release_candidate_version}" 15 | 16 | pushd cf-for-k8s-last-release > /dev/null 17 | cp ./sample-cf-install-values.yml ${cwd}/prev-release-sample-values.yml 18 | ./hack/generate-values.sh -d wingdang-foobrizzle > ${cwd}/wingdang-foobrizzle-values.yml 19 | popd > /dev/null 20 | 21 | pushd cf-for-k8s-rc > /dev/null 22 | ytt -f config/ -f ${cwd}/wingdang-foobrizzle-values.yml -f ${cwd}/prev-release-sample-values.yml > /dev/null 23 | popd > /dev/null 24 | } 25 | 26 | main "${PWD}" -------------------------------------------------------------------------------- /ci/tasks/check-values-interface/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s-ci 11 | - name: cf-for-k8s-last-release 12 | - name: cf-for-k8s-rc 13 | - name: cf-for-k8s-rc-version 14 | 15 | params: 16 | GITHUB_API_USER: 17 | GITHUB_API_TOKEN: 18 | 19 | run: 20 | path: cf-for-k8s-ci/ci/tasks/check-values-interface/task.sh 21 | -------------------------------------------------------------------------------- /ci/tasks/check-vendir-sync/ignore-moved-lines.awk: -------------------------------------------------------------------------------- 1 | { s = substr($0, 1, 1); 2 | val = 0 3 | if (s == "+") { val = 1 } 4 | else if (s == "-") { val = -1 } 5 | if (val == 0 || substr($0, 2, 1) == s) { 6 | next 7 | } 8 | s = substr($0, 2); 9 | counts[s] += val 10 | } 11 | END { status = 0; 12 | for (idx in counts) { 13 | if (counts[idx] != 0) { 14 | printf("Unmatched: %s: %d\n", idx, counts[idx]); 15 | status = 1 16 | } 17 | } 18 | exit status 19 | } 20 | -------------------------------------------------------------------------------- /ci/tasks/check-vendir-sync/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: ci-tasks 11 | - name: cf-for-k8s 12 | 13 | params: 14 | VENDIR_GITHUB_API_TOKEN: 15 | REPO_DIR: cf-for-k8s 16 | 17 | run: 18 | path: ci-tasks/ci/tasks/check-vendir-sync/task.sh 19 | -------------------------------------------------------------------------------- /ci/tasks/create-kind-cluster/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | # Used to determine the config for the kind cluster 11 | - name: cf-for-k8s 12 | # Used as the task file source 13 | - name: cf-for-k8s-ci 14 | # Used to set cluster version ranges 15 | - name: cf-for-k8s-cluster-versions 16 | - name: terraform 17 | 18 | params: 19 | GCP_KEY: 20 | GCP_PROJECT_NAME: 21 | VERSION_SELECTOR: 22 | 23 | run: 24 | path: cf-for-k8s-ci/ci/tasks/create-kind-cluster/task.sh 25 | -------------------------------------------------------------------------------- /ci/tasks/create-minikube-cluster/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | # Used to determine the config for the kind cluster 11 | - name: cf-for-k8s 12 | # Used as the task file source 13 | - name: cf-for-k8s-ci 14 | - name: terraform 15 | 16 | params: 17 | GCP_KEY: 18 | GCP_PROJECT_NAME: 19 | CPUS: 20 | MEMORY: 21 | 22 | run: 23 | path: cf-for-k8s-ci/ci/tasks/create-minikube-cluster/task.sh 24 | -------------------------------------------------------------------------------- /ci/tasks/create-rds-tf-vars-file/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s-ci 11 | 12 | outputs: 13 | - name: tf-vars 14 | 15 | params: 16 | AWS_ACCESS_KEY_ID: 17 | AWS_SECRET_ACCESS_KEY: 18 | AWS_REGION: 19 | DATABASE_PASSWORD: 20 | 21 | run: 22 | path: /bin/bash 23 | args: 24 | - -ec 25 | - | 26 | cat < tf-vars/input.tfvars 27 | region = "$AWS_REGION" 28 | aws_access_key_id = "$AWS_ACCESS_KEY_ID" 29 | aws_secret_access_key = "$AWS_SECRET_ACCESS_KEY" 30 | database_password = "$DATABASE_PASSWORD" 31 | EOT 32 | -------------------------------------------------------------------------------- /ci/tasks/create-s3-bucket-data-values-file/task.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | 3 | BUCKET_PACKAGES="$(jq -r '.bucket_packages' terraform-s3/metadata)" 4 | BUCKET_DROPLETS="$(jq -r '.bucket_droplets' terraform-s3/metadata)" 5 | BUCKET_RESOURCES="$(jq -r '.bucket_resources' terraform-s3/metadata)" 6 | BUCKET_BUILDPACKS="$(jq -r '.bucket_buildpacks' terraform-s3/metadata)" 7 | 8 | echo "Generating blobstore values ..." 9 | 10 | cat > blobstore-metadata/blobstore-values.yaml < tf-vars-s3/env-name.txt 9 | 10 | cat < tf-vars-s3/input.tfvars 11 | region = "${AWS_REGION}" 12 | aws_access_key_id = "${AWS_ACCESS_KEY_ID}" 13 | aws_secret_access_key = "${AWS_SECRET_ACCESS_KEY}" 14 | bucket_suffix = "${SUFFIX}" 15 | EOT 16 | -------------------------------------------------------------------------------- /ci/tasks/create-s3-tf-vars-file/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s-ci 11 | 12 | outputs: 13 | - name: tf-vars-s3 14 | 15 | params: 16 | AWS_ACCESS_KEY_ID: 17 | AWS_SECRET_ACCESS_KEY: 18 | AWS_REGION: 19 | 20 | run: 21 | path: cf-for-k8s-ci/ci/tasks/create-s3-tf-vars-file/task.sh 22 | -------------------------------------------------------------------------------- /ci/tasks/create-tag-annotation/task.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | function main() { 6 | local cwd="$1" 7 | 8 | local release_candidate_version 9 | release_candidate_version="v$(cat cf-for-k8s-version/version)" 10 | 11 | cat < "${cwd}/tag-annotation/body.txt" 12 | Tagging version: ${release_candidate_version} 13 | EOT 14 | } 15 | 16 | main "${PWD}" 17 | -------------------------------------------------------------------------------- /ci/tasks/create-tag-annotation/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-deployment-concourse-tasks 8 | 9 | inputs: 10 | - name: cf-for-k8s-ci 11 | - name: cf-for-k8s-version 12 | 13 | outputs: 14 | - name: tag-annotation 15 | 16 | run: 17 | path: cf-for-k8s-ci/ci/tasks/create-tag-annotation/task.sh 18 | -------------------------------------------------------------------------------- /ci/tasks/create-tf-vars-file/task.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu 4 | 5 | # Don't -o pipefail for this part 6 | env_suffix=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1) 7 | 8 | echo "${CLUSTER_NAME}-${env_suffix}" > tf-vars/env-name.txt 9 | cat < tf-vars/input.tfvars 10 | project = "${GCP_PROJECT_NAME}" 11 | region = "${GCP_PROJECT_REGION}" 12 | zone = "${GCP_PROJECT_ZONE}" 13 | service_account_key = "$(echo ${SERVICE_ACCOUNT_JSON} | jq -c '.' | sed -e 's#"#\\"#g' -e 's#\\n#\\\\n#g')" 14 | machine_type = "n1-standard-8" 15 | EOT 16 | -------------------------------------------------------------------------------- /ci/tasks/create-tf-vars-file/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s-ci 11 | 12 | outputs: 13 | - name: tf-vars 14 | 15 | params: 16 | CLUSTER_NAME: 17 | GCP_PROJECT_NAME: 18 | GCP_PROJECT_REGION: 19 | GCP_PROJECT_ZONE: 20 | SERVICE_ACCOUNT_JSON: 21 | 22 | run: 23 | path: cf-for-k8s-ci/ci/tasks/create-tf-vars-file/task.sh 24 | -------------------------------------------------------------------------------- /ci/tasks/delete-cf/task.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | source cf-for-k8s-ci/ci/helpers/gke.sh 6 | 7 | if [[ -d pool-lock ]]; then 8 | if [[ -d tf-vars ]]; then 9 | echo "You may not specify both pool-lock and tf-vars" 10 | exit 1 11 | fi 12 | cluster_name="$(cat pool-lock/name)" 13 | load_balancer_static_ip="$(jq -r '.lb_static_ip' pool-lock/metadata)" 14 | elif [[ -d tf-vars ]]; then 15 | if [[ -d terraform ]]; then 16 | cluster_name="$(cat tf-vars/env-name.txt)" 17 | load_balancer_static_ip="$(jq -r '.lb_static_ip' terraform/metadata)" 18 | else 19 | echo "You must provide both tf-vars and terraform inputs together" 20 | exit 1 21 | fi 22 | else 23 | echo "You must provide either pool-lock or tf-vars" 24 | exit 1 25 | fi 26 | 27 | gcloud_auth "${cluster_name}" 28 | 29 | if kubectl get statefulset cf-db-postgresql -n cf-db > /dev/null 2>&1; then 30 | echo "Doing some special deletion of postgres resources..." 31 | set +e 32 | kubectl delete statefulset cf-db-postgresql -n cf-db 33 | kubectl delete pod cf-db-postgresql-0 -n cf-db --force --grace-period 0 34 | set -e 35 | fi 36 | 37 | kapp delete -a cf --yes 38 | -------------------------------------------------------------------------------- /ci/tasks/delete-cf/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s-ci 11 | - name: pool-lock 12 | optional: true 13 | - name: tf-vars 14 | optional: true 15 | - name: terraform 16 | optional: true 17 | 18 | params: 19 | GCP_SERVICE_ACCOUNT_JSON: 20 | GCP_PROJECT_NAME: 21 | GCP_PROJECT_ZONE: 22 | 23 | run: 24 | path: cf-for-k8s-ci/ci/tasks/delete-cf/task.sh 25 | -------------------------------------------------------------------------------- /ci/tasks/delete-rds/task.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | 3 | 4 | if [[ -f db-metadata/db-values.yaml ]];then 5 | export PGHOST=$(jq -r '.address' terraform-rds/metadata) 6 | 7 | CCDB_USERNAME="$(yq -r '.capi.database.user' db-metadata/db-values.yaml)" 8 | CCDB_NAME="$(yq -r '.capi.database.name' db-metadata/db-values.yaml)" 9 | 10 | UAADB_USERNAME="$(yq -r '.uaa.database.user' db-metadata/db-values.yaml)" 11 | UAADB_NAME="$(yq -r '.uaa.database.name' db-metadata/db-values.yaml)" 12 | 13 | cat > /tmp/setup_db.sql </usr/local/bin/wait_for_docker 7 | chmod +x /usr/local/bin/wait_for_docker 8 | timeout 300 wait_for_docker 9 | 10 | docker login -u "${DOCKER_USERNAME}" -p "${DOCKER_PASSWORD}" 11 | set -x 12 | docker load -i deplab-image/image.tar 13 | image_id=$(docker images --format '{{.ID}}' | head -n 1) 14 | tag=$(cat eirini-release/version) 15 | docker tag "${image_id}" "${REPOSITORY}":"${tag}" 16 | docker push "${REPOSITORY}":"${tag}" 17 | 18 | -------------------------------------------------------------------------------- /ci/tasks/publish-eirini-image/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-dind 8 | 9 | inputs: 10 | - name: cf-for-k8s-ci 11 | - name: deplab-image 12 | - name: eirini-release 13 | 14 | params: 15 | DOCKER_USERNAME: ((dockerhub.username)) 16 | DOCKER_PASSWORD: ((dockerhub.password)) 17 | REPOSITORY: 18 | 19 | run: 20 | path: cf-for-k8s-ci/ci/tasks/publish-eirini-image/task.sh 21 | -------------------------------------------------------------------------------- /ci/tasks/push-test-app/task.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -eu 3 | 4 | DNS_DOMAIN=$(cat env-metadata/dns-domain.txt) 5 | 6 | if ${VERIFY_EXISTING_APP}; then 7 | echo "Verify availability of existing app: ${APP_NAME}" 8 | curl -k --retry 6 --retry-connrefused ${APP_NAME}.apps.${DNS_DOMAIN} 9 | echo "Confirmed that existing app is still available" 10 | fi 11 | 12 | cf api api.${DNS_DOMAIN} --skip-ssl-validation 13 | cf auth admin "$(cat env-metadata/cf-admin-password.txt)" 14 | cf create-org org 15 | cf target -o org 16 | cf create-space space 17 | cf target -o org -s space 18 | 19 | app_path=cf-for-k8s/tests/smoke/assets/test-node-app 20 | if [[ -d application ]]; then 21 | app_path=application 22 | fi 23 | 24 | echo "Pushing ${APP_NAME}" 25 | cf -v push ${APP_NAME} -p ${app_path} -i ${APP_INSTANCES} 26 | 27 | echo "Verify availability of ${APP_NAME}" 28 | curl -k https://${APP_NAME}.apps.${DNS_DOMAIN} 29 | echo "Confirmed that app is available" 30 | -------------------------------------------------------------------------------- /ci/tasks/push-test-app/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s 11 | - name: cf-for-k8s-ci 12 | - name: env-metadata 13 | - name: application 14 | optional: true 15 | 16 | params: 17 | APP_NAME: 18 | APP_INSTANCES: 1 19 | VERIFY_EXISTING_APP: 20 | 21 | run: 22 | path: cf-for-k8s-ci/ci/tasks/push-test-app/task.sh 23 | -------------------------------------------------------------------------------- /ci/tasks/run-external-blobstore-validation-test/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s-ci 11 | - name: cf-for-k8s 12 | - name: env-metadata 13 | - name: pool-lock 14 | optional: true 15 | - name: tf-vars 16 | optional: true 17 | - name: terraform 18 | optional: true 19 | - name: blobstore-metadata 20 | 21 | params: 22 | EXTERNAL_BLOBSTORE: "incluster" 23 | 24 | run: 25 | path: cf-for-k8s-ci/ci/tasks/run-external-blobstore-validation-test/task.sh 26 | -------------------------------------------------------------------------------- /ci/tasks/run-external-db-validation-test/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s 11 | - name: cf-for-k8s-ci 12 | - name: pool-lock 13 | optional: true 14 | - name: tf-vars 15 | optional: true 16 | - name: terraform 17 | optional: true 18 | - name: db-metadata 19 | 20 | params: 21 | GCP_SERVICE_ACCOUNT_JSON: 22 | GCP_PROJECT_NAME: 23 | GCP_PROJECT_ZONE: 24 | EXTERNAL_DB: "rds" 25 | PGPASSWORD: 26 | 27 | run: 28 | path: cf-for-k8s-ci/ci/tasks/run-external-db-validation-test/task.sh 29 | -------------------------------------------------------------------------------- /ci/tasks/run-smoke-tests-on-kind/task.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -eou pipefail 3 | 4 | source cf-for-k8s-ci/ci/helpers/auth-to-gcp.sh 5 | 6 | cat < remote-run-smoke-tests.sh 7 | #!/usr/bin/env bash 8 | set -euo pipefail 9 | 10 | export HOME=/tmp/kind 11 | export PATH=/tmp/kind/bin:/tmp/kind/go/bin:\$PATH 12 | export CGO_ENABLED=0 13 | export GO111MODULE=on 14 | 15 | export SMOKE_TEST_API_ENDPOINT="https://api.vcap.me" 16 | export SMOKE_TEST_APPS_DOMAIN=apps.vcap.me 17 | export SMOKE_TEST_USERNAME=admin 18 | # The yq command to interpolate the CF admin password needs to run on the Concourse worker 19 | export SMOKE_TEST_PASSWORD="$(yq -r '.cf_admin_password' cf-install-values/cf-install-values.yml)" 20 | export SMOKE_TEST_SKIP_SSL=true 21 | /tmp/kind/cf-for-k8s/hack/run-smoke-tests.sh 22 | EOT 23 | chmod +x remote-run-smoke-tests.sh 24 | 25 | echo "Uploading remote-run-smoke-tests.sh..." 26 | gcloud beta compute \ 27 | scp remote-run-smoke-tests.sh ${user_host}:/tmp \ 28 | --zone "us-central1-a" > /dev/null 29 | 30 | echo "Running remote-run-smoke-tests.sh..." 31 | gcloud beta compute \ 32 | ssh ${user_host} \ 33 | --command "/tmp/remote-run-smoke-tests.sh" \ 34 | --zone "us-central1-a" 35 | -------------------------------------------------------------------------------- /ci/tasks/run-smoke-tests-on-kind/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s 11 | - name: cf-for-k8s-ci 12 | - name: cf-install-values 13 | - name: terraform 14 | 15 | params: 16 | GCP_KEY: 17 | GCP_PROJECT_NAME: 18 | 19 | run: 20 | path: cf-for-k8s-ci/ci/tasks/run-smoke-tests-on-kind/task.sh 21 | -------------------------------------------------------------------------------- /ci/tasks/run-smoke-tests-on-minikube/task.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -eou pipefail 3 | 4 | source cf-for-k8s-ci/ci/helpers/auth-to-gcp.sh 5 | 6 | cat < remote-run-smoke-tests.sh 7 | #!/usr/bin/env bash 8 | set -euo pipefail 9 | 10 | export HOME=/tmp/minikube 11 | export PATH=/tmp/minikube/bin:/tmp/minikube/go/bin:\$PATH 12 | export CGO_ENABLED=0 13 | export GO111MODULE=on 14 | 15 | DOMAIN="\$(minikube ip).nip.io" 16 | export SMOKE_TEST_API_ENDPOINT="api.\${DOMAIN}" 17 | export SMOKE_TEST_APPS_DOMAIN="apps.\${DOMAIN}" 18 | export SMOKE_TEST_USERNAME=admin 19 | # The yq command to interpolate the CF admin password needs to run on the Concourse worker 20 | export SMOKE_TEST_PASSWORD="$(yq -r '.cf_admin_password' cf-install-values/cf-install-values.yml)" 21 | export SMOKE_TEST_SKIP_SSL=true 22 | /tmp/minikube/cf-for-k8s/hack/run-smoke-tests.sh 23 | EOT 24 | chmod +x remote-run-smoke-tests.sh 25 | 26 | echo "Uploading remote-run-smoke-tests.sh..." 27 | gcloud beta compute \ 28 | scp remote-run-smoke-tests.sh ${user_host}:/tmp \ 29 | --zone "us-central1-a" > /dev/null 30 | 31 | echo "Running remote-run-smoke-tests.sh..." 32 | gcloud beta compute \ 33 | ssh ${user_host} \ 34 | --command "/tmp/remote-run-smoke-tests.sh" \ 35 | --zone "us-central1-a" 36 | -------------------------------------------------------------------------------- /ci/tasks/run-smoke-tests-on-minikube/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s 11 | - name: cf-for-k8s-ci 12 | - name: cf-install-values 13 | - name: terraform 14 | 15 | params: 16 | GCP_KEY: 17 | GCP_PROJECT_NAME: 18 | 19 | run: 20 | path: cf-for-k8s-ci/ci/tasks/run-smoke-tests-on-minikube/task.sh 21 | -------------------------------------------------------------------------------- /ci/tasks/run-smoke-tests/task.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -eu 3 | 4 | DNS_DOMAIN=$(cat env-metadata/dns-domain.txt) 5 | export SMOKE_TEST_API_ENDPOINT="https://api.${DNS_DOMAIN}" 6 | export SMOKE_TEST_APPS_DOMAIN="apps.${DNS_DOMAIN}" 7 | export SMOKE_TEST_USERNAME=admin 8 | export SMOKE_TEST_PASSWORD=$(cat env-metadata/cf-admin-password.txt) 9 | 10 | echo "Running smoke tests with skip_ssl set to: ${SMOKE_TEST_SKIP_SSL}" 11 | 12 | if [[ ${SMOKE_TEST_SKIP_SSL} != "true" ]]; then 13 | echo "Updating trust store by appending default ca to ca-certificates.crt" 14 | cat env-metadata/default_ca.ca >> /etc/ssl/certs/ca-certificates.crt 15 | fi 16 | 17 | cf-for-k8s/hack/run-smoke-tests.sh 18 | 19 | -------------------------------------------------------------------------------- /ci/tasks/run-smoke-tests/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s 11 | - name: cf-for-k8s-ci 12 | - name: env-metadata 13 | 14 | params: 15 | SMOKE_TEST_SKIP_SSL: true 16 | 17 | run: 18 | path: cf-for-k8s-ci/ci/tasks/run-smoke-tests/task.sh 19 | -------------------------------------------------------------------------------- /ci/tasks/run-unit-tests/task: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -eux 3 | 4 | pushd "cf-for-k8s/tests/configs" > /dev/null 5 | ginkgo -r -v . 6 | popd > /dev/null 7 | 8 | pushd "cf-for-k8s/tests/ytt" > /dev/null 9 | ginkgo -r -v . 10 | popd > /dev/null 11 | -------------------------------------------------------------------------------- /ci/tasks/run-unit-tests/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s-ci 11 | - name: cf-for-k8s 12 | 13 | run: 14 | path: cf-for-k8s-ci/ci/tasks/run-unit-tests/task 15 | -------------------------------------------------------------------------------- /ci/tasks/schedule-stale-envs-for-deletion/task: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -euo pipefail 3 | 4 | : "${STALE_AFTER_DAYS:?}" 5 | 6 | pushd pool-repo > /dev/null 7 | 8 | stale_starting_in_epoch="$(( $(date "+%s") - STALE_AFTER_DAYS * 60 * 60 * 24 ))" 9 | 10 | mapfile -t claimed_ready_locks < <(ls k8s-dev/ready/claimed/*) 11 | 12 | for claimed_ready_lock in "${claimed_ready_locks[@]}"; do 13 | locked_since_in_epoch="$(git log -1 --pretty="format:%ct" -- "$claimed_ready_lock")" 14 | 15 | if (( locked_since_in_epoch <= stale_starting_in_epoch )); then 16 | git mv "$claimed_ready_lock" k8s-dev/destroy/unclaimed 17 | fi 18 | done 19 | 20 | git config user.email "cf-release-integration@pivotal.io" 21 | git config user.name "relint-ci" 22 | git diff-index --quiet HEAD || git commit -m "Schedule stale claimed environments for destruction" 23 | 24 | popd 25 | -------------------------------------------------------------------------------- /ci/tasks/schedule-stale-envs-for-deletion/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/cf-for-k8s-ci 8 | 9 | inputs: 10 | - name: cf-for-k8s-develop-ci 11 | - name: pool-repo 12 | 13 | outputs: 14 | - name: pool-repo 15 | 16 | params: 17 | STALE_AFTER_DAYS: "5" 18 | 19 | run: 20 | path: cf-for-k8s-develop-ci/ci/tasks/schedule-stale-envs-for-deletion/task 21 | -------------------------------------------------------------------------------- /ci/tasks/verify-every-task-is-used-in-a-pipeline/task.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -u 4 | 5 | pushd cf-for-k8s-ci >> /dev/null 6 | FAIL=false 7 | 8 | for task_file in ci/tasks/*/task.yml; do 9 | ack "$task_file" ./ci >> /dev/null 10 | if [[ $? != 0 ]]; then 11 | FAIL=true 12 | echo "$task_file is not used in any pipeline" 13 | fi 14 | 15 | done 16 | 17 | if $FAIL; then 18 | exit 1 19 | fi 20 | popd >> /dev/null 21 | -------------------------------------------------------------------------------- /ci/tasks/verify-every-task-is-used-in-a-pipeline/task.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: cloudfoundry/relint-base 8 | 9 | inputs: 10 | - name: cf-for-k8s-ci 11 | 12 | run: 13 | path: cf-for-k8s-ci/ci/tasks/verify-every-task-is-used-in-a-pipeline/task.sh 14 | -------------------------------------------------------------------------------- /community/code-of-conduct.md: -------------------------------------------------------------------------------- 1 | # CF for K8s follows the [Cloud Foundry Code of Conduct](https://www.cloudfoundry.org/code-of-conduct/) 2 | 3 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to any member from the [Maintainers list](MAINTAINERS.md). 4 | -------------------------------------------------------------------------------- /config/0-min-kapp-version.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kapp.k14s.io/v1alpha1 3 | kind: Config 4 | metadata: 5 | name: kapp-version 6 | 7 | minimumRequiredVersion: 0.33.0 8 | -------------------------------------------------------------------------------- /config/0-min-version.star: -------------------------------------------------------------------------------- 1 | # filename starts with '0-' to make sure this file gets 2 | # processed first, consequently forcing version check run first 3 | 4 | load("@ytt:version", "version") 5 | 6 | version.require_at_least("0.28.0") 7 | -------------------------------------------------------------------------------- /config/2-fix-null-annotations.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | #! Currently ytt does not allow overlaying maps on top of nils; 4 | #! replace nil annotations with empty map before further overlays (https://github.com/k14s/ytt/issues/108) 5 | #@overlay/match by=overlay.subset({"metadata":{"annotations": None}}),expects="1+" 6 | --- 7 | metadata: 8 | #@overlay/remove 9 | annotations: 10 | -------------------------------------------------------------------------------- /config/add-kapp-istio-gateway-secret-refs.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kapp.k14s.io/v1alpha1 3 | kind: Config 4 | metadata: 5 | name: kapp-istio-gateway-rules 6 | 7 | templateRules: 8 | - resourceMatchers: 9 | - apiVersionKindMatcher: {apiVersion: v1, kind: Secret} 10 | affectedResources: 11 | objectReferences: 12 | - path: [spec, servers, {allIndexes: true}, tls] 13 | resourceMatchers: 14 | - apiVersionKindMatcher: {apiVersion: networking.istio.io/v1alpha3, kind: Gateway} 15 | nameKey: credentialName 16 | -------------------------------------------------------------------------------- /config/capi/_ytt_lib/capi-k8s-release/NOTICE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2020-Present CloudFoundry.org Foundation, Inc. All Rights Reserved. 2 | 3 | This project is licensed to you under the Apache License, Version 2.0 (the "License"). 4 | You may not use this project except in compliance with the License. 5 | 6 | This project may include a number of subcomponents with separate copyright notices 7 | and license terms. Your use of these subcomponents is subject to the terms and 8 | conditions of the subcomponent's license, as noted in the LICENSE file. 9 | -------------------------------------------------------------------------------- /config/capi/_ytt_lib/capi-k8s-release/config/cc-kpack-registry-service-account.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: cc-kpack-registry-service-account 7 | namespace: #@ data.values.staging_namespace 8 | secrets: 9 | - name: cc-kpack-registry-auth-secret 10 | --- 11 | apiVersion: v1 12 | kind: Secret 13 | metadata: 14 | name: cc-kpack-registry-auth-secret 15 | namespace: #@ data.values.staging_namespace 16 | annotations: 17 | kpack.io/docker: #@ data.values.kpack.registry.hostname 18 | type: kubernetes.io/basic-auth 19 | stringData: 20 | username: #@ data.values.kpack.registry.username 21 | password: #@ data.values.kpack.registry.password 22 | --- 23 | apiVersion: v1 24 | kind: Secret 25 | metadata: 26 | name: cc-package-registry-upload-secret 27 | namespace: #@ data.values.system_namespace 28 | annotations: 29 | kpack.io/docker: #@ data.values.kpack.registry.hostname 30 | type: kubernetes.io/basic-auth 31 | stringData: 32 | username: #@ data.values.kpack.registry.username 33 | password: #@ data.values.kpack.registry.password 34 | -------------------------------------------------------------------------------- /config/capi/_ytt_lib/capi-k8s-release/config/ccng-configmap.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data","data") 2 | #@ load("@ytt:yaml","yaml") 3 | #@ load("ccng-config.lib.yml","ccng_config") 4 | --- 5 | apiVersion: v1 6 | kind: ConfigMap 7 | metadata: 8 | name: cloud-controller-ng-yaml 9 | namespace: #@ data.values.system_namespace 10 | annotations: 11 | kapp.k14s.io/versioned: "" 12 | data: 13 | cloud_controller_ng.yml: #@ yaml.encode(ccng_config()) 14 | -------------------------------------------------------------------------------- /config/capi/_ytt_lib/capi-k8s-release/config/cf-workloads-staging-namespace.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: #@ data.values.staging_namespace 7 | -------------------------------------------------------------------------------- /config/capi/_ytt_lib/capi-k8s-release/config/database-ca-cert-secret.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data","data") 2 | #@ load("@ytt:base64","base64") 3 | #@ if data.values.ccdb.ca_cert: 4 | --- 5 | apiVersion: v1 6 | kind: Secret 7 | metadata: 8 | name: database-ca-cert 9 | namespace: #@ data.values.system_namespace 10 | type: Opaque 11 | data: 12 | ca.crt: #@ base64.encode(data.values.ccdb.ca_cert) 13 | #@ end 14 | -------------------------------------------------------------------------------- /config/capi/_ytt_lib/capi-k8s-release/config/periodic-route-sync.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | --- 4 | apiVersion: apps.cloudfoundry.org/v1alpha1 5 | kind: PeriodicSync 6 | metadata: 7 | name: cf-api-periodic-route-sync 8 | namespace: #@ data.values.system_namespace 9 | spec: 10 | period_seconds: 15 11 | -------------------------------------------------------------------------------- /config/capi/_ytt_lib/capi-k8s-release/config/secrets-file.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data","data") 2 | #@ load("@ytt:yaml","yaml") 3 | #@ load("secrets.lib.yml", "ccng_secrets") 4 | --- 5 | apiVersion: v1 6 | kind: ConfigMap 7 | metadata: 8 | name: cloud-controller-ng-secrets-yaml 9 | namespace: #@ data.values.system_namespace 10 | annotations: 11 | kapp.k14s.io/versioned: "" 12 | data: 13 | secrets.yml: #@ yaml.encode(ccng_secrets()) 14 | -------------------------------------------------------------------------------- /config/capi/_ytt_lib/capi-k8s-release/config/service.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: capi 6 | namespace: #@ data.values.system_namespace 7 | spec: 8 | type: ClusterIP 9 | ports: 10 | - port: 80 11 | targetPort: 80 12 | protocol: TCP 13 | name: http 14 | - port: 9023 15 | targetPort: 9023 16 | protocol: TCP 17 | name: http-internal 18 | selector: 19 | app.kubernetes.io/name: cf-api-server 20 | -------------------------------------------------------------------------------- /config/capi/_ytt_lib/capi-k8s-release/config/values/images.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@data/values 3 | --- 4 | #@overlay/match missing_ok=True 5 | images: 6 | backup_metadata_generator: cloudfoundry/cf-api-backup-metadata-generator@sha256:0f3098d99b35bfb9608b580323e0cc454bd254afaf08cd02acec58af770fea4f 7 | ccng: cloudfoundry/cloud-controller-ng@sha256:6c320fac9cbd9f2634a6e5a446fec7a338964f876aae89eea080518f5e0ff764 8 | cf_api_controllers: cloudfoundry/cf-api-controllers@sha256:46ddb6a7b152bb4a74d1dee8a263166da8c9d7740bb72eb8190ddb5b4f265526 9 | cf_autodetect_builder: cloudfoundry/cnb:0.0.94-bionic@sha256:5b03a853e636b78c44e475bbc514e2b7b140cc41cca8ab907e9753431ae8c0b0 10 | nginx: cloudfoundry/capi-nginx@sha256:da9dc5d2431c55affe8a6d07169199e958a619d0159cbbf99d130ff4a45d11d5 11 | registry_buddy: cloudfoundry/cf-api-package-registry-buddy@sha256:163aca64a4e0aa1a3c8a9555d13b3c7218ae059c1ec2d986d783d961daa52d1d 12 | statsd_exporter: cloudfoundry/statsd_exporter-cf-for-k8s@sha256:62d035035f3c97efc183fa4b2a544f2464dd579992bb38f3dacfffe2ae4618da 13 | -------------------------------------------------------------------------------- /config/capi/add-statsd-exporter-probes.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata":{"name":"cf-api-server"}}), expects=1 4 | --- 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | #@overlay/match by=overlay.subset({"name":"statsd-exporter"}),expects="1+" 10 | - 11 | #@overlay/match missing_ok=True 12 | livenessProbe: 13 | httpGet: 14 | path: /metrics 15 | port: 9102 16 | failureThreshold: 2 17 | periodSeconds: 5 18 | #@overlay/match missing_ok=True 19 | readinessProbe: 20 | httpGet: 21 | path: /metrics 22 | port: 9102 23 | -------------------------------------------------------------------------------- /config/capi/allow-prometheus-metrics-access.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:overlay", "overlay") 3 | 4 | #@ if data.values.allow_prometheus_metrics_access: 5 | #! Removes Istio-proxy access restriction towards Prometheus metrics endpoint/port. 6 | #! Allows any Prometheus or other component to scrape the metrics endpoint. 7 | #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata":{"name":"cf-api-server"}}), expects=1 8 | --- 9 | spec: 10 | template: 11 | metadata: 12 | annotations: 13 | #@overlay/match missing_ok=True 14 | traffic.sidecar.istio.io/excludeInboundPorts: "9102" 15 | #@ end 16 | -------------------------------------------------------------------------------- /config/capi/staging-ns-label.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@ load("/namespaces.star", "workloads_staging_namespace") 3 | 4 | #@overlay/match by=overlay.subset({"kind": "Namespace", "metadata":{"name": workloads_staging_namespace()}}), expects=1 5 | --- 6 | metadata: 7 | #@overlay/match missing_ok=True 8 | labels: 9 | #@overlay/match missing_ok=True 10 | cf-for-k8s.cloudfoundry.org/cf-workloads-staging-ns: "" 11 | -------------------------------------------------------------------------------- /config/check-required-arguments.yml: -------------------------------------------------------------------------------- 1 | --- 2 | #@ load("@ytt:data", "data") 3 | #@ load("@ytt:assert", "assert") 4 | #@ load("/get_missing_parameters.star", "get_missing_parameters") 5 | 6 | #@ missing_parameters = get_missing_parameters(data.values) 7 | #@ if len(missing_parameters) > 0: 8 | require_parameter_check: #@ assert.fail("The following required data.values parameters are missing: %s" % (missing_parameters,)) 9 | #@ end 10 | -------------------------------------------------------------------------------- /config/eirini/enable-automount-service-account-token.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:overlay", "overlay") 3 | #@ load("@ytt:yaml", "yaml") 4 | 5 | #@ if data.values.enable_automount_service_account_token: 6 | #! Patch service accounts to enable automount 7 | #! - Kind does not support setting it to false right now 8 | 9 | #@ def update_eirini_config(): 10 | #@overlay/match missing_ok=True 11 | #@overlay/replace 12 | unsafe_allow_automount_service_account_token: true 13 | #@ end 14 | 15 | #@overlay/match by=overlay.subset({"kind": "ConfigMap","metadata":{"name":"eirini-api"}}) 16 | --- 17 | data: 18 | #@overlay/replace via=lambda a,_: yaml.encode(overlay.apply(yaml.decode(a), update_eirini_config())) 19 | api.yml: 20 | 21 | #@overlay/match by=overlay.subset({"kind":"ServiceAccount", "metadata": {"name":"eirini"}}),expects="0+" 22 | --- 23 | #@overlay/match missing_ok=True 24 | #@overlay/replace 25 | automountServiceAccountToken: true 26 | #@ end 27 | -------------------------------------------------------------------------------- /config/eirini/set-instance-index-env-injector-webhook-ca.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@ load("@ytt:data", "data") 3 | #@ load("@ytt:base64", "base64") 4 | 5 | #@overlay/match by=overlay.subset({"kind": "MutatingWebhookConfiguration", "metadata":{"name": "eirini-x-mutating-hook"}}) 6 | --- 7 | webhooks: 8 | #@overlay/match by="name" 9 | - name: instance-index-env-injector.eirini.cloudfoundry.org 10 | clientConfig: 11 | #@overlay/replace 12 | caBundle: #@ base64.encode("{}".format(data.values.instance_index_env_injector_certificate.ca)) 13 | -------------------------------------------------------------------------------- /config/istio/README.md: -------------------------------------------------------------------------------- 1 | ## Istio configuration 2 | 3 | This folder contains overlays and configuration to set up Istio in CF for K8s. 4 | 5 | Currently, CF for K8s is tightly coupled to Istio and to this configuration in particular. 6 | 7 | However, we strongly encourage CF users to treat this configuration as an implementation detail, and to not depend on it. 8 | Over time, as we work to support a wider variety of networking technologies within CF for K8s, this configuration may change, 9 | and the Istio integration may become optional, rather than required. 10 | -------------------------------------------------------------------------------- /config/istio/add-istio-injection.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | #@ is_ns = overlay.subset({"kind":"Namespace"}) 4 | #@ not_istio_ns = overlay.not_op(overlay.subset({"metadata":{"name":"istio-system"}})) 5 | 6 | #@overlay/match by=overlay.and_op(is_ns, not_istio_ns), expects="1+" 7 | --- 8 | metadata: 9 | #@overlay/match missing_ok=True 10 | labels: 11 | #@overlay/match missing_ok=True 12 | istio-injection: enabled 13 | -------------------------------------------------------------------------------- /config/istio/add-istio-version-to-podspecs.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@ load("istio-version.star", "istio_version") 3 | 4 | #@ is_deployment = overlay.subset({"kind":"Deployment"}) 5 | #@ is_daemonset = overlay.subset({"kind":"DaemonSet"}) 6 | #@ is_statefulset = overlay.subset({"kind":"StatefulSet"}) 7 | #@ is_podspec = overlay.or_op(is_deployment, is_daemonset, is_statefulset) 8 | #@ not_istio_ns = overlay.not_op(overlay.subset({"metadata":{"namespace":"istio-system"}})) 9 | 10 | #@overlay/match by=overlay.and_op(is_podspec, not_istio_ns), expects="1+" 11 | --- 12 | spec: 13 | template: 14 | #@overlay/match missing_ok=True 15 | metadata: 16 | #@overlay/match missing_ok=True 17 | labels: 18 | #@overlay/match missing_ok=True 19 | cloudfoundry.org/istio_version: #@ istio_version() 20 | -------------------------------------------------------------------------------- /config/istio/app-sidecar.yaml: -------------------------------------------------------------------------------- 1 | #@ load("/namespaces.star", "system_namespace", "workloads_namespace") 2 | 3 | --- 4 | apiVersion: networking.istio.io/v1alpha3 5 | kind: Sidecar 6 | metadata: 7 | name: default 8 | namespace: #@ workloads_namespace() 9 | spec: 10 | egress: 11 | - hosts: 12 | - #@ system_namespace() + "/*" 13 | -------------------------------------------------------------------------------- /config/istio/gateway.lib.yml: -------------------------------------------------------------------------------- 1 | #@ def gateway(system_domain, app_domains, system_namespace, workloads_namespace, https_only): 2 | apiVersion: networking.istio.io/v1alpha3 3 | kind: Gateway 4 | metadata: 5 | name: istio-ingressgateway 6 | namespace: #@ system_namespace 7 | spec: 8 | selector: 9 | istio: ingressgateway 10 | servers: 11 | - hosts: 12 | #! TODO: restrict this 13 | - '*' 14 | port: 15 | name: http 16 | number: 80 17 | protocol: HTTP 18 | tls: 19 | httpsRedirect: #@ https_only 20 | - hosts: 21 | - #@ ('' if system_domain in app_domains else '*/') + '*.' + system_domain 22 | port: 23 | name: https-system 24 | number: 443 25 | protocol: HTTPS 26 | tls: 27 | mode: SIMPLE 28 | credentialName: cf-system-cert 29 | #@ non_system_domain_app_domains = [d for d in app_domains if d != system_domain] 30 | #@ if/end len(non_system_domain_app_domains) > 0: 31 | - hosts: 32 | #@ for/end app_domain in non_system_domain_app_domains: 33 | - #@ workloads_namespace + '/*.' + app_domain 34 | port: 35 | name: https-workloads 36 | number: 443 37 | protocol: HTTPS 38 | tls: 39 | credentialName: cf-workloads-cert 40 | mode: SIMPLE 41 | #@ end 42 | -------------------------------------------------------------------------------- /config/istio/ingressgateway-service-nodeport.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:overlay", "overlay") 3 | 4 | #@ if data.values.load_balancer.enable == False: 5 | #@overlay/match by=overlay.subset({"kind":"Service","metadata":{"name":"istio-ingressgateway"}}) 6 | --- 7 | spec: 8 | #@overlay/replace 9 | type: NodePort 10 | #@ end 11 | -------------------------------------------------------------------------------- /config/istio/istio-generated/README.md: -------------------------------------------------------------------------------- 1 | # Files in this folder are autogenerated, please do not edit them. 2 | -------------------------------------------------------------------------------- /config/istio/istio-version.star: -------------------------------------------------------------------------------- 1 | def istio_version(): 2 | return "1.14.3" 3 | end 4 | -------------------------------------------------------------------------------- /config/istio/label-istio-ns.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | #@overlay/match by=overlay.subset({"kind":"Namespace", "metadata":{"name": "istio-system"}}) 4 | --- 5 | metadata: 6 | #@overlay/match missing_ok=True 7 | labels: 8 | #@overlay/match missing_ok=True 9 | cf-for-k8s.cloudfoundry.org/istio-system-ns: "" 10 | -------------------------------------------------------------------------------- /config/istio/peer-auth-fluentd.yaml: -------------------------------------------------------------------------------- 1 | #@ load("/namespaces.star", "system_namespace") 2 | 3 | --- 4 | apiVersion: security.istio.io/v1beta1 5 | kind: PeerAuthentication 6 | metadata: 7 | name: fluentd-allow-plaintext 8 | namespace: #@ system_namespace() 9 | spec: 10 | selector: 11 | matchLabels: 12 | app: fluentd 13 | mtls: 14 | mode: PERMISSIVE 15 | -------------------------------------------------------------------------------- /config/istio/remove-hpas-and-scale-istiod.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@ load("@ytt:data", "data") 3 | 4 | #@overlay/match by=overlay.subset({"kind":"HorizontalPodAutoscaler"}), expects="1+" 5 | #@overlay/remove 6 | --- 7 | 8 | #@ if data.values.remove_resource_requirements: 9 | #@ num_istiod_replicas = 1 10 | #@ else: 11 | #@ num_istiod_replicas = 2 12 | #@ end 13 | #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata":{"name":"istiod"}}),expects=1 14 | --- 15 | spec: 16 | #@overlay/match missing_ok=True 17 | replicas: #@ num_istiod_replicas 18 | -------------------------------------------------------------------------------- /config/istio/use-external-dns-for-wildcard.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:overlay", "overlay") 3 | 4 | #@ if data.values.use_external_dns_for_wildcard: 5 | #@overlay/match by=overlay.subset({"kind": "Service", "metadata":{"name": "istio-ingressgateway"}}) 6 | --- 7 | metadata: 8 | #@overlay/match missing_ok=True 9 | annotations: 10 | #@overlay/match missing_ok=True 11 | external-dns.alpha.kubernetes.io/hostname: #@ "*." + data.values.system_domain 12 | #@overlay/match missing_ok=True 13 | external-dns.alpha.kubernetes.io/ttl: "10" 14 | #@ end 15 | -------------------------------------------------------------------------------- /config/kapp-rebase-rules.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kapp.k14s.io/v1alpha1 3 | kind: Config 4 | metadata: 5 | name: "kapp-config" 6 | rebaseRules: 7 | - paths: 8 | - [metadata, annotations] 9 | - [webhooks, {allIndexes: true}, rules] 10 | - [webhooks, {allIndexes: true}, namespaceSelector] 11 | - [webhooks, {allIndexes: true}, clientConfig, service, path] 12 | - [webhooks, {allIndexes: true}, sideEffects] 13 | - [webhooks, {allIndexes: true}, timeoutSeconds] 14 | 15 | type: copy 16 | sources: [new, existing] 17 | resourceMatchers: 18 | - apiVersionKindMatcher: 19 | apiVersion: admissionregistration.k8s.io/v1beta1 20 | kind: MutatingWebhookConfiguration 21 | name: resource.webhook.kpack.pivotal.io 22 | -------------------------------------------------------------------------------- /config/kpack/kapp-order.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | #@overlay/match by=overlay.subset({"kind":"ClusterStore"}) 4 | --- 5 | metadata: 6 | #@overlay/match missing_ok=True 7 | annotations: 8 | #@overlay/match missing_ok=True 9 | kapp.k14s.io/change-group.kpack-resources: "cf-for-k8s.cloudfoundry.org/kpack-resources" 10 | 11 | #@overlay/match by=overlay.subset({"kind":"ClusterStack"}) 12 | --- 13 | metadata: 14 | #@overlay/match missing_ok=True 15 | annotations: 16 | #@overlay/match missing_ok=True 17 | kapp.k14s.io/change-group.kpack-resources: "cf-for-k8s.cloudfoundry.org/kpack-resources" 18 | 19 | #@overlay/match by=overlay.subset({"kind":"Builder"}) 20 | --- 21 | metadata: 22 | #@overlay/match missing_ok=True 23 | annotations: 24 | #@overlay/match missing_ok=True 25 | kapp.k14s.io/change-rule.kpack-resources: "upsert after upserting cf-for-k8s.cloudfoundry.org/kpack-resources" 26 | -------------------------------------------------------------------------------- /config/kpack/kapp-wait-rules.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kapp.k14s.io/v1alpha1 3 | kind: Config 4 | metadata: 5 | name: "kapp-wait-rule-config" 6 | waitRules: 7 | - supportsObservedGeneration: true 8 | conditionMatchers: 9 | - type: Ready 10 | status: "True" 11 | success: true 12 | resourceMatchers: 13 | - apiVersionKindMatcher: {apiVersion: kpack.io/v1alpha1, kind: ClusterStack} 14 | - apiVersionKindMatcher: {apiVersion: kpack.io/v1alpha1, kind: ClusterStore} 15 | - supportsObservedGeneration: true 16 | conditionMatchers: 17 | - type: Ready 18 | status: "True" 19 | success: true 20 | - type: Ready 21 | status: "False" 22 | failure: true 23 | resourceMatchers: 24 | - apiVersionKindMatcher: {apiVersion: kpack.io/v1alpha1, kind: Builder} 25 | 26 | 27 | -------------------------------------------------------------------------------- /config/kpack/kpack-ns-label.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | #@overlay/match by=overlay.subset({"kind": "Namespace", "metadata":{"name": "kpack"}}), expects=1 4 | --- 5 | metadata: 6 | #@overlay/match missing_ok=True 7 | labels: 8 | #@overlay/match missing_ok=True 9 | cf-for-k8s.cloudfoundry.org/kpack-ns: "" 10 | -------------------------------------------------------------------------------- /config/logging/_ytt_lib/cf-k8s-logging/_defaults.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | system_domain: "" 4 | system_namespace: "" 5 | app_log_destinations: [] 6 | 7 | fluentd: 8 | prometheus: 9 | path: '/metrics' 10 | port: '24231' 11 | 12 | debug: false 13 | -------------------------------------------------------------------------------- /config/logging/_ytt_lib/cf-k8s-logging/fluent-ingress-service.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: fluentd-forwarder-ingress 7 | namespace: cf-system 8 | spec: 9 | selector: 10 | app: fluentd 11 | ports: 12 | - protocol: TCP 13 | port: 24224 14 | -------------------------------------------------------------------------------- /config/logging/_ytt_lib/cf-k8s-logging/images.yml: -------------------------------------------------------------------------------- 1 | 2 | #@ load("@ytt:overlay", "overlay") 3 | #@data/values 4 | --- 5 | #@overlay/match missing_ok=True 6 | images: 7 | log_cache: "cloudfoundry/log-cache@sha256:76c674790dec25b329e5e3e6887a04c65d24ff4c661c88f8f105e8bce845c629" 8 | syslog_server: "cloudfoundry/syslog-server@sha256:ec4e5aad3b0e898153583826e487cc7e05e261ccaed33a45ff2dca41eb7e8f24" 9 | log_cache_gateway: "cloudfoundry/log-cache-gateway@sha256:67ed09c7e1d5ba868df649b1fb9aa5b2740ec6bc40d83773128ccdcd5b82b845" 10 | fluent: "cloudfoundry/cf-k8s-logging@sha256:f8f12de18cf9c4fc6b358ec072d66cd1220f3bd056bae04c5c3657f749a0ca1f" 11 | cf_auth_proxy: "cloudfoundry/log-cache-cf-auth-proxy@sha256:6ca7bd08b5897c89404501efe4d4ad859813f65481ab0f96a6bdb63e86d8d0f4" 12 | -------------------------------------------------------------------------------- /config/logging/_ytt_lib/cf-k8s-logging/log-cache-api-service.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: log-cache-api 7 | namespace: #@ data.values.system_namespace 8 | spec: 9 | selector: 10 | app: log-cache-api 11 | ports: 12 | - protocol: TCP 13 | port: 8083 14 | name: http 15 | -------------------------------------------------------------------------------- /config/logging/_ytt_lib/cf-k8s-logging/log-cache-service.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: log-cache 7 | namespace: #@ data.values.system_namespace 8 | spec: 9 | selector: 10 | app: log-cache 11 | ports: 12 | - protocol: TCP 13 | port: 8080 14 | -------------------------------------------------------------------------------- /config/logging/_ytt_lib/cf-k8s-logging/log-cache-virualservice.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: networking.istio.io/v1alpha3 4 | kind: VirtualService 5 | metadata: 6 | name: log-cache-external-virtual-service 7 | namespace: #@ data.values.system_namespace 8 | spec: 9 | gateways: 10 | - cf-system/istio-ingressgateway 11 | hosts: 12 | - #@ "log-cache.{}".format(data.values.system_domain) 13 | http: 14 | - route: 15 | - destination: 16 | host: #@ "log-cache-api.{}.svc.cluster.local".format(data.values.system_namespace) 17 | port: 18 | number: 8083 19 | -------------------------------------------------------------------------------- /config/logging/_ytt_lib/cf-k8s-logging/logging-metadata-service-account.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | kind: ServiceAccount 4 | apiVersion: v1 5 | metadata: 6 | name: fluentd-service-account 7 | namespace: #@ data.values.system_namespace 8 | 9 | --- 10 | kind: ClusterRole 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | metadata: 13 | name: pod-namespace-read 14 | namespace: #@ data.values.system_namespace 15 | rules: 16 | - apiGroups: ["*"] 17 | resources: ["pods", "namespaces"] 18 | verbs: ["get", "watch", "list"] 19 | 20 | --- 21 | kind: ClusterRoleBinding 22 | apiVersion: rbac.authorization.k8s.io/v1 23 | metadata: 24 | name: fluentd-service-account-pod-namespace-read 25 | roleRef: 26 | apiGroup: rbac.authorization.k8s.io 27 | kind: ClusterRole 28 | name: pod-namespace-read 29 | subjects: 30 | - kind: ServiceAccount 31 | name: fluentd-service-account 32 | namespace: #@ data.values.system_namespace 33 | -------------------------------------------------------------------------------- /config/logging/_ytt_lib/cf-k8s-logging/syslog-service.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: log-cache-syslog 7 | namespace: #@ data.values.system_namespace 8 | spec: 9 | selector: 10 | app: log-cache 11 | ports: 12 | - protocol: TCP 13 | port: 8082 14 | -------------------------------------------------------------------------------- /config/logging/logging.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:library", "library") 3 | #@ load("@ytt:template", "template") 4 | #@ load("/namespaces.star", "system_namespace") 5 | 6 | #@ def logging_values(): 7 | system_domain: #@ data.values.system_domain 8 | system_namespace: #@ system_namespace() 9 | 10 | app_log_destinations: 11 | #@ for/end destination in data.values.app_log_destinations: 12 | #@overlay/append 13 | - #@ destination 14 | 15 | #@ end 16 | #@ logging = library.get("cf-k8s-logging") 17 | --- #@ template.replace(logging.with_data_values(logging_values()).eval()) 18 | -------------------------------------------------------------------------------- /config/metrics/_ytt_lib/metric-proxy/100-metric-proxy-service-account.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | kind: ServiceAccount 4 | apiVersion: v1 5 | metadata: 6 | name: metric-proxy 7 | 8 | --- 9 | kind: ClusterRole 10 | apiVersion: rbac.authorization.k8s.io/v1 11 | metadata: 12 | name: metric-proxy 13 | rules: 14 | - apiGroups: ["*"] 15 | resources: ["pods", "namespaces", "nodes/proxy"] 16 | verbs: ["get", "watch", "list"] 17 | 18 | --- 19 | kind: ClusterRoleBinding 20 | apiVersion: rbac.authorization.k8s.io/v1 21 | metadata: 22 | name: metric-proxy 23 | roleRef: 24 | apiGroup: rbac.authorization.k8s.io 25 | kind: ClusterRole 26 | name: metric-proxy 27 | subjects: 28 | - kind: ServiceAccount 29 | name: metric-proxy 30 | namespace: #@ data.values.system_namespace 31 | 32 | -------------------------------------------------------------------------------- /config/metrics/_ytt_lib/metric-proxy/400-metric-proxy-service.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: metric-proxy 6 | spec: 7 | selector: 8 | app: metric-proxy 9 | ports: 10 | - protocol: TCP 11 | port: 8080 12 | name: https 13 | -------------------------------------------------------------------------------- /config/metrics/_ytt_lib/metric-proxy/500-metric-proxy-deployment.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: metric-proxy 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: metric-proxy 12 | template: 13 | metadata: 14 | annotations: 15 | prometheus.io/scrape: "true" 16 | prometheus.io/port: "9090" 17 | prometheus.io/path: "/metrics" 18 | spec: 19 | serviceAccountName: metric-proxy 20 | containers: 21 | - name: metric-proxy 22 | image: #@ data.values.images.metric_proxy 23 | imagePullPolicy: Always 24 | ports: 25 | - containerPort: 8080 26 | - containerPort: 9090 27 | env: 28 | - name: ADDR 29 | value: :8080 30 | - name: APP_SELECTOR 31 | value: cloudfoundry.org/guid 32 | - name: NAMESPACE 33 | value: cf-workloads 34 | - name: QUERY_TIMEOUT 35 | value: "5" 36 | resources: 37 | limits: 38 | cpu: 30m 39 | memory: 25Mi 40 | requests: 41 | cpu: 15m 42 | memory: 10Mi 43 | -------------------------------------------------------------------------------- /config/metrics/_ytt_lib/metric-proxy/_defaults.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | system_domain: "" 4 | system_namespace: "" 5 | 6 | name: metric-proxy 7 | component: container-metrics 8 | part_of: cloudfoundry 9 | managed_by: metric-egress 10 | version: 1.3.0 11 | -------------------------------------------------------------------------------- /config/metrics/_ytt_lib/metric-proxy/images.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@data/values 3 | --- 4 | #@overlay/match missing_ok=True 5 | images: 6 | metric_proxy: "cloudfoundry/metric-proxy@sha256:0f10d093fbb4437e071dcf31411ef344b4059bf26494e4b23e2625a7d9d4e77e" -------------------------------------------------------------------------------- /config/metrics/_ytt_lib/metric-proxy/metadata.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@ load("@ytt:data", "data") 3 | 4 | #@ def metadata_labels(): 5 | app: #@ data.values.name 6 | app.kubernetes.io/name: #@ data.values.name 7 | app.kubernetes.io/version: #@ data.values.version 8 | app.kubernetes.io/component: #@ data.values.component 9 | app.kubernetes.io/part-of: #@ data.values.part_of 10 | app.kubernetes.io/managed-by: #@ data.values.managed_by 11 | #@ end 12 | 13 | 14 | #@overlay/match by=overlay.all,expects="1+" 15 | --- 16 | #@overlay/match-child-defaults missing_ok=True 17 | metadata: 18 | namespace: #@ data.values.system_namespace 19 | labels: #@ metadata_labels() 20 | 21 | #@overlay/match by=overlay.subset({"kind":"Deployment"}),missing_ok=True 22 | --- 23 | spec: 24 | #@overlay/match-child-defaults missing_ok=True 25 | template: 26 | metadata: 27 | namespace: #@ data.values.system_namespace 28 | labels: #@ metadata_labels() 29 | -------------------------------------------------------------------------------- /config/metrics/allow-prometheus-metrics-access.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:overlay", "overlay") 3 | 4 | #@ if data.values.allow_prometheus_metrics_access: 5 | #! Removes Istio-proxy access restriction towards Prometheus metrics endpoint/port. 6 | #! Allows any Prometheus or other component to scrape the metrics endpoint. 7 | #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata":{"name":"metric-proxy"}}), expects=1 8 | --- 9 | spec: 10 | template: 11 | metadata: 12 | annotations: 13 | #@overlay/match missing_ok=True 14 | traffic.sidecar.istio.io/excludeInboundPorts: "9090" 15 | #@ end 16 | -------------------------------------------------------------------------------- /config/metrics/metrics-server-prefer-internal-kubelet-address.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:overlay", "overlay") 3 | 4 | #@ if data.values.metrics_server_prefer_internal_kubelet_address: 5 | #! Patch metrics-server to work in Kind 6 | #! https://github.com/kubernetes-sigs/kind/issues/398#issuecomment-621143252 7 | #! https://github.com/kubernetes-sigs/metrics-server/issues/131#issuecomment-618671827 8 | 9 | #@overlay/match by=overlay.subset({"kind":"Deployment","metadata":{"name":"metrics-server", "namespace":"kube-system"}}) 10 | --- 11 | spec: 12 | template: 13 | spec: 14 | containers: 15 | #@overlay/match by="name" 16 | - name: metrics-server 17 | #@overlay/replace 18 | args: 19 | - --cert-dir=/tmp 20 | - --secure-port=4443 21 | - --kubelet-insecure-tls 22 | - --kubelet-preferred-address-types=InternalIP 23 | #@ end 24 | -------------------------------------------------------------------------------- /config/metrics/metrics.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:library", "library") 3 | #@ load("@ytt:template", "template") 4 | #@ load("/namespaces.star", "system_namespace") 5 | 6 | #@ def metrics_values(): 7 | system_domain: #@ data.values.system_domain 8 | system_namespace: #@ system_namespace() 9 | #@ end 10 | 11 | #@ metrics = library.get("metric-proxy") 12 | --- #@ template.replace(metrics.with_data_values(metrics_values()).eval()) 13 | -------------------------------------------------------------------------------- /config/minio/minio.star: -------------------------------------------------------------------------------- 1 | load("@ytt:data", "data") 2 | 3 | def minio_enabled(): 4 | return data.values.blobstore.endpoint == "http://cf-blobstore-minio.cf-blobstore.svc.cluster.local:9000" 5 | end 6 | -------------------------------------------------------------------------------- /config/minio/minio.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:library", "library") 3 | #@ load("@ytt:overlay", "overlay") 4 | #@ load("@ytt:template", "template") 5 | #@ load("must_exist.star", "must_exist") 6 | #@ load("minio.star", "minio_enabled") 7 | 8 | #@ if minio_enabled(): 9 | 10 | #@ def add_cf_blobstore_namespace(): 11 | #@overlay/match by=overlay.all, expects="1+" 12 | --- 13 | metadata: 14 | #@overlay/match missing_ok=True 15 | namespace: cf-blobstore 16 | #@ end 17 | 18 | --- 19 | apiVersion: v1 20 | kind: Namespace 21 | metadata: 22 | name: cf-blobstore 23 | labels: 24 | cf-for-k8s.cloudfoundry.org/cf-blobstore-ns: "" 25 | 26 | #@overlay/match by=overlay.subset({"kind": "Secret", "metadata": {"name": "cf-blobstore-minio"}}) 27 | --- 28 | #@overlay/match missing_ok=True 29 | stringData: 30 | accesskey: #@ must_exist(data.values, "blobstore.access_key_id") 31 | secretkey: #@ must_exist(data.values, "blobstore.secret_access_key") 32 | #@overlay/remove 33 | data: 34 | 35 | --- #@ template.replace(overlay.apply(library.get("minio").eval(), add_cf_blobstore_namespace())) 36 | 37 | #@ end 38 | -------------------------------------------------------------------------------- /config/minio/must_exist.star: -------------------------------------------------------------------------------- 1 | load("@ytt:assert", "assert") 2 | 3 | def must_exist(data_values, data_value_key): 4 | value = data_values 5 | keys = data_value_key.split(".") 6 | for key in keys: 7 | value = getattr(value, key) 8 | end 9 | if len(value) == 0: 10 | assert.fail(data_value_key + " cannot be empty") 11 | end 12 | return value 13 | end 14 | -------------------------------------------------------------------------------- /config/namespaces.star: -------------------------------------------------------------------------------- 1 | def system_namespace(): 2 | return "cf-system" 3 | end 4 | 5 | def workloads_namespace(): 6 | return "cf-workloads" 7 | end 8 | 9 | def workloads_staging_namespace(): 10 | return "cf-workloads-staging" 11 | end 12 | -------------------------------------------------------------------------------- /config/networking/_ytt_lib/cf-k8s-networking/NOTICE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019-Present CloudFoundry.org Foundation, Inc. All Rights Reserved. 2 | 3 | This project is licensed to you under the Apache License, Version 2.0 (the "License"). 4 | You may not use this project except in compliance with the License. 5 | 6 | This project may include a number of subcomponents with separate copyright notices 7 | and license terms. Your use of these subcomponents is subject to the terms and 8 | conditions of the subcomponent's license, as noted in the LICENSE file. 9 | -------------------------------------------------------------------------------- /config/networking/_ytt_lib/cf-k8s-networking/config/routecontroller/cluster-role-binding.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | --- 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: ClusterRoleBinding 6 | metadata: 7 | name: routecontroller 8 | namespace: #@ data.values.systemNamespace 9 | labels: 10 | app.kubernetes.io/name: routecontroller 11 | app.kubernetes.io/component: cf-networking 12 | app.kubernetes.io/part-of: cloudfoundry 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: ClusterRole 16 | name: routecontroller 17 | subjects: 18 | - kind: ServiceAccount 19 | name: routecontroller 20 | namespace: #@ data.values.systemNamespace 21 | -------------------------------------------------------------------------------- /config/networking/_ytt_lib/cf-k8s-networking/config/routecontroller/cluster-role.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | --- 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: ClusterRole 6 | metadata: 7 | name: routecontroller 8 | namespace: #@ data.values.systemNamespace 9 | labels: 10 | app.kubernetes.io/name: routecontroller 11 | app.kubernetes.io/component: cf-networking 12 | app.kubernetes.io/part-of: cloudfoundry 13 | rules: 14 | - apiGroups: ["networking.cloudfoundry.org"] 15 | resources: ["routes", "routes/status"] 16 | verbs: ["create", "delete", "get", "update", "list", "watch"] 17 | - apiGroups: ["networking.istio.io"] 18 | resources: ["virtualservices"] 19 | verbs: ["create", "delete", "get", "update", "list", "watch"] 20 | - apiGroups: ["coordination.k8s.io"] 21 | resources: ["leases"] 22 | verbs: ["create", "delete", "get", "update", "list", "watch"] 23 | - apiGroups: [""] 24 | resources: ["services"] 25 | verbs: ["create", "delete", "get", "update", "list", "watch"] 26 | - apiGroups: [""] 27 | resources: ["events"] 28 | verbs: ["create"] 29 | - apiGroups: [""] 30 | resources: ["configmaps"] 31 | verbs: ["create", "delete", "get", "update"] 32 | -------------------------------------------------------------------------------- /config/networking/_ytt_lib/cf-k8s-networking/config/routecontroller/routecontroller-configmap.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: routecontroller-config 7 | namespace: #@ data.values.systemNamespace 8 | annotations: 9 | kapp.k14s.io/versioned: "" 10 | kapp.k14s.io/num-versions: "2" 11 | labels: 12 | app.kubernetes.io/name: routecontroller-config 13 | app.kubernetes.io/component: cf-networking 14 | app.kubernetes.io/part-of: cloudfoundry 15 | data: 16 | LEADER_ELECTION_NAMESPACE: #@ data.values.systemNamespace 17 | ISTIO_GATEWAY_NAME: #@ data.values.systemNamespace + "/istio-ingressgateway" 18 | RESYNC_INTERVAL: "900" 19 | -------------------------------------------------------------------------------- /config/networking/_ytt_lib/cf-k8s-networking/config/routecontroller/service-account.yaml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | --- 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | name: routecontroller 8 | namespace: #@ data.values.systemNamespace 9 | labels: 10 | app.kubernetes.io/name: routecontroller 11 | app.kubernetes.io/component: cf-networking 12 | app.kubernetes.io/part-of: cloudfoundry 13 | -------------------------------------------------------------------------------- /config/networking/_ytt_lib/cf-k8s-networking/config/values/_defaults.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | #! Default values for cf-k8s-networking. 4 | #! This is a YTT-formatted file. 5 | systemNamespace: cf-system 6 | workloadsNamespace: cf-workloads 7 | 8 | service: 9 | externalPort: 80 10 | -------------------------------------------------------------------------------- /config/networking/_ytt_lib/cf-k8s-networking/config/values/images.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@data/values 3 | --- 4 | #@overlay/match missing_ok=True 5 | images: 6 | routecontroller: "index.docker.io/cloudfoundry/routecontroller@sha256:72db6b8d2d5ceeee7084f2263409ec2e9c0ad14b5aafa43ab2d68283cd663667" 7 | -------------------------------------------------------------------------------- /config/networking/istio-authorization-policies.yml: -------------------------------------------------------------------------------- 1 | #@ load("/namespaces.star", "system_namespace") 2 | 3 | #@ def principal(namespace, service_account): 4 | #@ return "cluster.local/ns/{}/sa/{}".format(namespace, service_account) 5 | #@ end 6 | 7 | #! https://istio.io/latest/docs/reference/config/security/authorization-policy/ 8 | --- 9 | apiVersion: security.istio.io/v1beta1 10 | kind: AuthorizationPolicy 11 | metadata: 12 | name: default-allow-all 13 | namespace: #@ system_namespace() 14 | spec: 15 | rules: 16 | - {} 17 | --- 18 | apiVersion: security.istio.io/v1beta1 19 | kind: AuthorizationPolicy 20 | metadata: 21 | name: cf-api-server 22 | namespace: #@ system_namespace() 23 | spec: 24 | action: DENY 25 | selector: 26 | matchLabels: 27 | app.kubernetes.io/name: cf-api-server 28 | rules: 29 | - from: 30 | - source: 31 | notPrincipals: 32 | - #@ principal(system_namespace(), "eirini-api") 33 | - #@ principal(system_namespace(), "eirini-event-reporter") 34 | - #@ principal(system_namespace(), "eirini-task-reporter") 35 | to: 36 | - operation: 37 | paths: 38 | - "/internal*" 39 | -------------------------------------------------------------------------------- /config/networking/networking.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:library", "library") 2 | #@ load("@ytt:template", "template") 3 | #@ load("/namespaces.star", "system_namespace", "workloads_namespace") 4 | 5 | #@ def networking_values(): 6 | systemNamespace: #@ system_namespace() 7 | workloadsNamespace: #@ workloads_namespace() 8 | #@ end 9 | 10 | #@ networking = library.get("cf-k8s-networking") 11 | --- #@ template.replace(networking.with_data_values(networking_values()).eval()) 12 | -------------------------------------------------------------------------------- /config/postgres/postgres.star: -------------------------------------------------------------------------------- 1 | load("@ytt:data", "data") 2 | 3 | def cfdb_enabled(): 4 | return len(data.values.uaa.database.host) == 0 or len(data.values.capi.database.host) == 0 5 | end 6 | -------------------------------------------------------------------------------- /config/prioritize-daemonsets.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | --- 4 | apiVersion: scheduling.k8s.io/v1 5 | kind: PriorityClass 6 | 7 | metadata: 8 | name: slightly-above-normal 9 | 10 | description: "Useful for DaemonSets which don't really have higher priority but should move other pods to other nodes" 11 | value: 1 12 | 13 | 14 | #@overlay/match by=overlay.subset({"kind":"DaemonSet"}), expects="1+" 15 | --- 16 | spec: 17 | template: 18 | spec: 19 | #@overlay/match missing_ok=True 20 | priorityClassName: slightly-above-normal 21 | -------------------------------------------------------------------------------- /config/quarks-secret/quarks-secret.star: -------------------------------------------------------------------------------- 1 | load("@ytt:data", "data") 2 | 3 | def quarks_secret_enabled(): 4 | return data.values.experimental.quarks_secret.enable == True 5 | end 6 | -------------------------------------------------------------------------------- /config/quarks-secret/quarks-secret.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:library", "library") 2 | #@ load("@ytt:template", "template") 3 | #@ load("/quarks-secret/quarks-secret.star", "quarks_secret_enabled") 4 | 5 | #@ if quarks_secret_enabled(): 6 | --- #@ template.replace(library.get("quarks-secret").eval()) 7 | #@ end 8 | -------------------------------------------------------------------------------- /config/system-namespace.yml: -------------------------------------------------------------------------------- 1 | #@ load("/namespaces.star", "system_namespace") 2 | #@ load("/quarks-secret/quarks-secret.star", "quarks_secret_enabled") 3 | --- 4 | apiVersion: v1 5 | kind: Namespace 6 | metadata: 7 | name: #@ system_namespace() 8 | labels: 9 | cf-for-k8s.cloudfoundry.org/cf-system-ns: "" 10 | #@ if quarks_secret_enabled(): 11 | quarks.cloudfoundry.org/monitored: cf-quarks-secret 12 | #@ end 13 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/NOTICE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2021-Present CloudFoundry.org Foundation, Inc. All Rights Reserved. 2 | 3 | This project is licensed to you under the Apache License, Version 2.0 (the "License"). 4 | You may not use this project except in compliance with the License. 5 | 6 | This project may include a number of subcomponents with separate copyright notices 7 | and license terms. Your use of these subcomponents is subject to the terms and 8 | conditions of the subcomponent's license, as noted in the LICENSE file. 9 | Contact GitHub API Training Shop Blog About 10 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/config.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:yaml", "yaml") 2 | #@ load("uaa.lib.yml", "config") 3 | #@ load("@ytt:data", "data") 4 | --- 5 | apiVersion: v1 6 | kind: ConfigMap 7 | metadata: 8 | name: uaa-config 9 | annotations: 10 | kapp.k14s.io/versioned: "" 11 | data: 12 | uaa.yml: #@ yaml.encode(config()) 13 | log4j2.properties: #@ data.read("log4j2.properties") -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/deployment.star: -------------------------------------------------------------------------------- 1 | load("@ytt:assert", "assert") 2 | 3 | config_dir = "/etc/config" 4 | secrets_dir = "/etc/secrets" 5 | truststore_dir = "/etc/truststore" 6 | truststore_file = "{}/uaa.pkcs12.truststore".format(truststore_dir) 7 | truststore_password = "changeit" 8 | 9 | java_opts_list = [ 10 | "-Djava.security.egd=file:/dev/./urandom", 11 | "-Dlogging.config={}/log4j2.properties".format(config_dir), 12 | "-Dlog4j.configurationFile={}/log4j2.properties".format(config_dir), 13 | "-DCLOUDFOUNDRY_CONFIG_PATH={}".format(config_dir), 14 | "-DSECRETS_DIR={}".format(secrets_dir), 15 | "-Djavax.net.ssl.trustStore={}".format(truststore_file), 16 | "-Djavax.net.ssl.trustStoreType=PKCS12", 17 | "-Djavax.net.ssl.trustStorePassword={}".format(truststore_password), 18 | "-Dstatsd.enabled=true", 19 | "-Dservlet.session-store=database", 20 | ] 21 | 22 | def java_opts(database_scheme): 23 | if not database_scheme in ['hsqldb' , 'mysql', 'postgresql']: 24 | assert.fail("database.scheme must be one of hsqldb, mysql, or postgresql") 25 | end 26 | 27 | ret = "-Dspring_profiles={}".format(database_scheme) 28 | for i in range(0, len(java_opts_list)): 29 | ret += " " 30 | ret += java_opts_list[i] 31 | end 32 | return ret 33 | end 34 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/log4j2.properties: -------------------------------------------------------------------------------- 1 | status = error 2 | dest = err 3 | name = UaaLog 4 | 5 | property.log_pattern=[%d{yyyy-MM-dd'T'HH:mm:ss.nnnnnn}{GMT+0}Z] uaa%X{context} - %pid [%t] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{}%n 6 | 7 | appender.uaaDefaultAppender.type = Console 8 | appender.uaaDefaultAppender.name = UaaDefaultAppender 9 | appender.uaaDefaultAppender.layout.type = PatternLayout 10 | appender.uaaDefaultAppender.layout.pattern = [UAA] ${log_pattern} 11 | 12 | appender.uaaAuditAppender.type = Console 13 | appender.uaaAuditAppender.name = UaaAuditAppender 14 | appender.uaaAuditAppender.layout.type = PatternLayout 15 | appender.uaaAuditAppender.layout.pattern = [UAA_AUDIT] ${log_pattern} 16 | 17 | rootLogger.level = info 18 | rootLogger.appenderRef.uaaDefaultAppender.ref = UaaDefaultAppender 19 | 20 | logger.UAAAudit.name = UAA.Audit 21 | logger.UAAAudit.level = info 22 | logger.UAAAudit.additivity = true 23 | logger.UAAAudit.appenderRef.auditEventLog.ref = UaaAuditAppender 24 | 25 | logger.cfIdentity.name = org.cloudfoundry.identity 26 | logger.cfIdentity.level = info 27 | logger.cfIdentity.additivity = false 28 | logger.cfIdentity.appenderRef.uaaDefaultAppender.ref = UaaDefaultAppender -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/metadata.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@ load("@ytt:data", "data") 3 | 4 | #@ def metadata_labels(): 5 | app.kubernetes.io/name: "uaa" 6 | app.kubernetes.io/instance: #@ "uaa-" + data.values.labels.instance 7 | app.kubernetes.io/version: #@ data.values.version 8 | app.kubernetes.io/component: "authorization_server" 9 | app.kubernetes.io/part-of: #@ data.values.labels.partOf 10 | app.kubernetes.io/managed-by: #@ data.values.labels.managedBy 11 | #@ end 12 | 13 | #@overlay/match by=overlay.all,expects="1+" 14 | --- 15 | #@overlay/match-child-defaults missing_ok=True 16 | metadata: 17 | namespace: #@ data.values.namespace 18 | labels: #@ metadata_labels() 19 | 20 | #@overlay/match by=overlay.subset({"kind":"Deployment"}),missing_ok=True 21 | --- 22 | spec: 23 | #@overlay/match-child-defaults missing_ok=True 24 | template: 25 | metadata: 26 | namespace: #@ data.values.namespace 27 | labels: #@ metadata_labels() -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/secrets/admin_client_credentials.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:yaml", "yaml") 3 | #@ load("@ytt:assert", "assert") 4 | 5 | #@ def admin_client_credentials(): 6 | oauth: 7 | clients: 8 | admin: 9 | secret: #@ data.values.admin.client_secret or assert.fail("admin.client_secret is required") 10 | #@ end 11 | 12 | --- 13 | apiVersion: v1 14 | kind: Secret 15 | metadata: 16 | name: uaa-admin-client-credentials 17 | type: Opaque 18 | stringData: 19 | admin_client_credentials.yml: #@ yaml.encode(admin_client_credentials()) 20 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/secrets/ca_certs.star: -------------------------------------------------------------------------------- 1 | load("@ytt:data", "data") 2 | load("@ytt:base64", "base64") 3 | 4 | def has_ca_certs(ca_certs): 5 | return type(ca_certs) == "list" and len(ca_certs) > 0 6 | end 7 | 8 | def ca_certs_to_files(ca_certs): 9 | ca_certs_files = dict() 10 | 11 | for i in range(len(ca_certs)): 12 | ca_certs_files["uaa-ca-cert{}.pem".format(i)] = base64.encode(ca_certs[i]) 13 | end 14 | 15 | return ca_certs_files 16 | end 17 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/secrets/ca_certs.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("ca_certs.star", "has_ca_certs", "ca_certs_to_files") 3 | 4 | #@ if has_ca_certs(data.values.ca_certs): 5 | --- 6 | apiVersion: v1 7 | kind: Secret 8 | metadata: 9 | name: uaa-ca-certs 10 | type: Opaque 11 | data: #@ ca_certs_to_files(data.values.ca_certs) 12 | #@ end 13 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/secrets/database_credentials.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:yaml", "yaml") 3 | 4 | #@ def database_credentials(): 5 | database: 6 | username: #@ data.values.database.username or "" 7 | password: #@ data.values.database.password or "" 8 | #@ end 9 | 10 | #@ if data.values.database.username or data.values.database.password: 11 | --- 12 | apiVersion: v1 13 | kind: Secret 14 | metadata: 15 | name: uaa-database-credentials 16 | type: Opaque 17 | stringData: 18 | database_credentials.yml: #@ yaml.encode(database_credentials()) 19 | #@ end 20 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/secrets/encryption_keys.star: -------------------------------------------------------------------------------- 1 | load("@ytt:assert", "assert") 2 | 3 | def validated_encryption_keys(encryption): 4 | if not encryption or not hasattr(encryption, "active_key_label") or not encryption.active_key_label: 5 | assert.fail("encryption.active_key_label is required") 6 | end 7 | 8 | active_keys = [] 9 | for key in encryption.encryption_keys: 10 | if key.label == encryption.active_key_label: 11 | active_keys.append(key) 12 | end 13 | end 14 | 15 | if not active_keys: 16 | assert.fail("encryption.active_key_label must reference key in encryption.encryption_keys") 17 | end 18 | 19 | return encryption 20 | end -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/secrets/encryption_keys.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:yaml", "yaml") 3 | #@ load ("encryption_keys.star", "validated_encryption_keys") 4 | 5 | #@ def encryption_keys(): 6 | encryption: #@ validated_encryption_keys(data.values.encryption) 7 | #@ end 8 | 9 | --- 10 | apiVersion: v1 11 | kind: Secret 12 | metadata: 13 | name: encryption-keys 14 | type: Opaque 15 | stringData: 16 | encryption_keys.yml: #@ yaml.encode(encryption_keys()) 17 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/secrets/jwt_policy_signing_keys.star: -------------------------------------------------------------------------------- 1 | load("@ytt:assert", "assert") 2 | 3 | def signing_keys(jwt_policy): 4 | if not jwt_policy or not jwt_policy.activeKeyId: 5 | assert.fail("jwt.policy.activeKeyId is required") 6 | end 7 | 8 | if type(jwt_policy.keys) != "struct": 9 | assert.fail("jwt.policy.keys must be an object") 10 | end 11 | 12 | if not hasattr(jwt_policy.keys, jwt_policy.activeKeyId): 13 | assert.fail("jwt.policy.keys must contain keyId matching jwt.policy.activeKeyId") 14 | end 15 | 16 | return jwt_policy 17 | end 18 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/secrets/jwt_policy_signing_keys.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:yaml", "yaml") 3 | #@ load("jwt_policy_signing_keys.star", "signing_keys") 4 | 5 | #@ def uaa_yml_signing_keys(): 6 | jwt: 7 | token: 8 | policy: #@ signing_keys(data.values.jwt.policy) 9 | #@ end 10 | --- 11 | apiVersion: v1 12 | kind: Secret 13 | metadata: 14 | name: uaa-jwt-policy-signing-keys 15 | type: Opaque 16 | stringData: 17 | jwt_policy_signing_keys.yml: #@ yaml.encode(uaa_yml_signing_keys()) 18 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/secrets/saml_keys.star: -------------------------------------------------------------------------------- 1 | load("@ytt:assert", "assert") 2 | 3 | def saml_keys(login): 4 | if not login or not login.saml or not hasattr(login.saml, "activeKeyId") or not login.saml.activeKeyId: 5 | assert.fail("login.saml.activeKeyId is required") 6 | end 7 | 8 | if type(login.saml.keys) != "struct": 9 | assert.fail("login.saml.keys must be an object") 10 | end 11 | 12 | if not login.saml.keys or not getattr(login.saml.keys, login.saml.activeKeyId, None): 13 | assert.fail("login.saml.activeKeyId must reference key in login.saml.keys") 14 | end 15 | 16 | return login 17 | end 18 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/secrets/saml_keys.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:yaml", "yaml") 3 | #@ load("saml_keys.star", "saml_keys") 4 | 5 | #@ def uaa_saml_keys(): 6 | login: #@ saml_keys(data.values.login) 7 | #@ end 8 | --- 9 | apiVersion: v1 10 | kind: Secret 11 | metadata: 12 | name: uaa-saml-keys 13 | type: Opaque 14 | stringData: 15 | saml_keys.yml: #@ yaml.encode(uaa_saml_keys()) 16 | 17 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/secrets/smtp_credentials.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:yaml", "yaml") 3 | #@ def smtp_credentials(): 4 | --- 5 | smtp: 6 | user: #@ data.values.smtp.user or "" 7 | password: #@ data.values.smtp.password or "" 8 | #@ end 9 | 10 | #@ if data.values.smtp.user or data.values.smtp.password: 11 | --- 12 | apiVersion: v1 13 | kind: Secret 14 | metadata: 15 | name: uaa-smtp-credentials 16 | type: Opaque 17 | stringData: 18 | smtp_credentials.yml: #@ yaml.encode(smtp_credentials()) 19 | #@ end 20 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/service.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: uaa 6 | labels: 7 | app: uaa-deployment 8 | spec: 9 | type: ClusterIP 10 | ports: 11 | - port: 8080 12 | name: http-uaa 13 | targetPort: 8080 14 | protocol: TCP 15 | selector: 16 | app: uaa-deployment 17 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/service_account.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: uaa 7 | automountServiceAccountToken: #@ data.values.automountServiceAccountToken 8 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/uaa.lib.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:assert", "assert") 3 | 4 | #@ def config(): 5 | --- 6 | issuer: 7 | uri: #@ data.values.issuer.uri 8 | 9 | #! The secret that an external login server will use to authenticate to the uaa using the id `login` 10 | LOGIN_SECRET: loginsecret 11 | 12 | database: 13 | maxactive: 100 14 | maxidle: 10 15 | minidle: 0 16 | removeabandoned: false 17 | logabandoned: true 18 | abandonedtimeout: 300 19 | url: #@ data.values.database.url or assert.fail("database.url is required") 20 | 21 | smtp: 22 | host: #@ data.values.smtp.host 23 | port: #@ data.values.smtp.port 24 | starttls: #@ data.values.smtp.starttls 25 | from_address: #@ data.values.smtp.from_address 26 | 27 | oauth: 28 | client: 29 | override: true 30 | clients: 31 | admin: 32 | authorized-grant-types: client_credentials 33 | authorities: "clients.read,clients.write,clients.secret,uaa.admin,scim.read,scim.write,password.write" 34 | 35 | #@ end 36 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/values/_defaults.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | #! UAA Deployment Values 4 | version: "" 5 | namespace: default 6 | labels: 7 | instance: standalone 8 | partOf: uaa 9 | managedBy: kubectl 10 | 11 | resources: 12 | uaa: 13 | requests: 14 | memory: 512Mi 15 | cpu: 50m 16 | limits: 17 | memory: 2000Mi 18 | cpu: 500m 19 | statsd_exporter: 20 | requests: 21 | memory: 10Mi 22 | cpu: 10m 23 | limits: 24 | memory: 100Mi 25 | cpu: 100m 26 | 27 | issuer: 28 | uri: http://localhost:8080/uaa 29 | 30 | tomcat: 31 | accessLoggingEnabled: "y" 32 | 33 | #! UAA Application Values 34 | database: 35 | scheme: ~ 36 | username: ~ 37 | password: ~ 38 | url: ~ 39 | 40 | jwt: 41 | policy: 42 | activeKeyId: ~ 43 | keys: {} 44 | 45 | login: 46 | saml: 47 | activeKeyId: ~ 48 | keys: {} 49 | 50 | encryption: 51 | active_key_label: ~ 52 | encryption_keys: [] 53 | 54 | smtp: 55 | host: ~ 56 | port: 25 57 | user: ~ 58 | password: ~ 59 | starttls: ~ 60 | from_address: ~ 61 | 62 | admin: 63 | client_secret: ~ 64 | 65 | #! ca_certs should be an array of PEM-encoded certs 66 | #! These will be added to the UAA's truststore 67 | ca_certs: [] 68 | 69 | automountServiceAccountToken: false 70 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/values/images.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@data/values 3 | --- 4 | #@overlay/match missing_ok=True 5 | images: 6 | statsd_exporter: cloudfoundry/statsd_exporter-cf-for-k8s@sha256:d5f14b2d08acdc86ac2691b052db58dbe3b1029fe5d16c086da7215f5a65ba7d 7 | uaa: cloudfoundry/uaa@sha256:f4d931309a9f8b0487c826df4717830b0bc81efb9cf0130a5cb3f66bf2809d5d 8 | -------------------------------------------------------------------------------- /config/uaa/_ytt_lib/uaa-k8s-release/config/values/version.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | version: "74.12.0" 4 | -------------------------------------------------------------------------------- /config/uaa/add-statsd-exporter-probes.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | 3 | #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata":{"name":"uaa"}}), expects=1 4 | --- 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | #@overlay/match by=overlay.subset({"name":"statsd-exporter"}),expects="1+" 10 | - 11 | #@overlay/match missing_ok=True 12 | livenessProbe: 13 | httpGet: 14 | path: /metrics 15 | port: metrics-uaa 16 | failureThreshold: 2 17 | periodSeconds: 5 18 | #@overlay/match missing_ok=True 19 | readinessProbe: 20 | httpGet: 21 | path: /metrics 22 | port: metrics-uaa 23 | -------------------------------------------------------------------------------- /config/uaa/allow-prometheus-metrics-access.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:overlay", "overlay") 3 | 4 | #@ if data.values.allow_prometheus_metrics_access: 5 | #! Removes Istio-proxy access restriction towards Prometheus metrics endpoint/port. 6 | #! Allows any Prometheus or other component to scrape the metrics endpoint. 7 | #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata":{"name":"uaa"}}), expects=1 8 | --- 9 | spec: 10 | template: 11 | metadata: 12 | annotations: 13 | #@overlay/match missing_ok=True 14 | traffic.sidecar.istio.io/excludeInboundPorts: "9102" 15 | #@ end 16 | -------------------------------------------------------------------------------- /config/uaa/enable-automount-service-account-token.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:overlay", "overlay") 3 | 4 | #@ if data.values.enable_automount_service_account_token: 5 | #! Patch service accounts to enable automount 6 | #! - Kind does not support setting it to false right now 7 | 8 | #@overlay/match by=overlay.subset({"kind":"ServiceAccount", "metadata": {"name":"uaa"}}),expects="0+" 9 | --- 10 | #@overlay/match missing_ok=True 11 | #@overlay/replace 12 | automountServiceAccountToken: true 13 | #@ end 14 | -------------------------------------------------------------------------------- /config/uaa/remove-resource-requirements.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:overlay", "overlay") 3 | 4 | #@ if data.values.remove_resource_requirements: 5 | #! on smaller/slow environments uaa may not start successfully due to probes being too agressive 6 | #@overlay/match by=overlay.subset({"kind":"Deployment","metadata":{"name":"uaa"}}) 7 | --- 8 | spec: 9 | template: 10 | spec: 11 | containers: 12 | #@overlay/match by=overlay.subset({"name":"uaa"}),expects="1+" 13 | - 14 | #@overlay/remove 15 | livenessProbe: {} 16 | #@overlay/remove 17 | readinessProbe: {} 18 | #@ end 19 | -------------------------------------------------------------------------------- /config/values/20-secrets-config-values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | #@overlay/match-child-defaults missing_ok=True 3 | --- 4 | capi: 5 | cf_api_controllers_client_secret: "" 6 | cf_api_backup_metadata_generator_client_secret: "" 7 | cc_username_lookup_client_secret: "" 8 | 9 | #! control optional deployment of a database for CF 10 | cf_db: 11 | admin_password: "" 12 | 13 | instance_index_env_injector_certificate: 14 | #! Certificate for the instance index env injector mutating webhook in eirini 15 | #! CN=*.cf-system.svc 16 | crt: "" 17 | #! Private key for the instance index env injector certificate 18 | key: "" 19 | #! CA certificate key used by kube API to verify the instance index env injector webhook handler 20 | ca: "" 21 | 22 | uaa: 23 | #! client secret for uaa admin client in plain text 24 | admin_client_secret: "" 25 | encryption_key: 26 | #! Plain text passphrase 27 | passphrase: "" 28 | 29 | jwt_policy: 30 | #! Plain text private key 31 | signing_key: "" 32 | 33 | login: 34 | service_provider: 35 | #! Plain text private key 36 | key: "" 37 | #! Plain text password 38 | key_password: "" 39 | #! Plain text certificate 40 | certificate: "" 41 | 42 | #! Plain text password 43 | login_secret: "" 44 | -------------------------------------------------------------------------------- /config/values/30-experimental-values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | #@overlay/match-child-defaults missing_ok=True 3 | --- 4 | experimental: 5 | quarks_secret: 6 | enable: false -------------------------------------------------------------------------------- /config/workloads-namespace.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:overlay", "overlay") 2 | #@ load("/namespaces.star", "workloads_namespace") 3 | 4 | --- 5 | apiVersion: v1 6 | kind: Namespace 7 | metadata: 8 | name: #@ workloads_namespace() 9 | annotations: 10 | kapp.k14s.io/change-rule.cf-workloads-namespace: "delete before deleting cf-k8s-networking/routecontroller" 11 | labels: 12 | cf-for-k8s.cloudfoundry.org/cf-workloads-ns: "" 13 | 14 | #! the following overlay ensures the cf-workloads namespace is deleted before the routecontroller 15 | #@ cr = overlay.subset({"kind":"ClusterRole","metadata":{"name":"routecontroller"}}) 16 | #@ crb = overlay.subset({"kind":"ClusterRoleBinding","metadata":{"name":"routecontroller"}}) 17 | #@ cm = overlay.subset({"kind":"ConfigMap","metadata":{"name":"routecontroller-config"}}) 18 | #@ d = overlay.subset({"kind":"Deployment","metadata":{"name":"routecontroller"}}) 19 | #@ sa = overlay.subset({"kind":"ServiceAccount","metadata":{"name":"routecontroller"}}) 20 | #@overlay/match by=overlay.or_op(cr, crb, cm, d, sa), expects="1+" 21 | #@overlay/match-child-defaults missing_ok=True 22 | --- 23 | metadata: 24 | annotations: 25 | kapp.k14s.io/change-group: cf-k8s-networking/routecontroller 26 | -------------------------------------------------------------------------------- /deploy/aks/terraform/cluster.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_kubernetes_cluster" "primary" { 2 | name = var.env_name 3 | location = var.location 4 | resource_group_name = azurerm_resource_group.primary.name 5 | dns_prefix = var.env_name 6 | 7 | default_node_pool { 8 | name = "default" 9 | node_count = var.node_count 10 | vm_size = var.node_vm_size 11 | } 12 | 13 | identity { 14 | type = "SystemAssigned" 15 | } 16 | 17 | network_profile { 18 | network_plugin = "kubenet" 19 | network_policy = "calico" 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /deploy/aks/terraform/dns.tf: -------------------------------------------------------------------------------- 1 | resource "google_dns_record_set" "wildcard" { 2 | name = "*.${var.env_dns_domain}." 3 | project = var.google_project 4 | 5 | type = "A" 6 | ttl = 300 7 | 8 | managed_zone = var.dns_zone_name 9 | 10 | rrdatas = [azurerm_public_ip.lb_static_ip.ip_address] 11 | } 12 | 13 | resource "google_dns_record_set" "apps_wildcard" { 14 | name = "*.apps.${var.env_dns_domain}." 15 | project = var.google_project 16 | 17 | type = "A" 18 | ttl = 300 19 | 20 | managed_zone = var.dns_zone_name 21 | 22 | rrdatas = [azurerm_public_ip.lb_static_ip.ip_address] 23 | } -------------------------------------------------------------------------------- /deploy/aks/terraform/lb_static_ip.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_public_ip" "lb_static_ip" { 2 | name = "${var.env_name}-lb" 3 | location = var.location 4 | resource_group_name = azurerm_kubernetes_cluster.primary.node_resource_group // The LoadBalancer static IP has to exist in the same resource group as the LoadBalancer itself 5 | allocation_method = "Static" // We want to know the IP address ahead of time so that we an set up DNS for it 6 | sku = "Standard" // The SKU for the LoadBalancer static IP has to match the LoadBalancer itself 7 | } 8 | -------------------------------------------------------------------------------- /deploy/aks/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | output "lb_static_ip" { 2 | value = azurerm_public_ip.lb_static_ip.ip_address 3 | } 4 | 5 | output "kubeconfig" { 6 | value = azurerm_kubernetes_cluster.primary.kube_config_raw 7 | sensitive = true 8 | } 9 | -------------------------------------------------------------------------------- /deploy/aks/terraform/provider.tf: -------------------------------------------------------------------------------- 1 | provider "azurerm" { 2 | client_id = var.service_principal_id 3 | client_secret = var.service_principal_secret 4 | subscription_id = var.subscription_id 5 | tenant_id = var.tenant_id 6 | 7 | features {} 8 | } 9 | 10 | // Used for DNS management 11 | provider "google" { 12 | project = var.google_project 13 | region = var.google_region 14 | credentials = var.google_service_account_key 15 | } 16 | -------------------------------------------------------------------------------- /deploy/aks/terraform/resource_group.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_resource_group" "primary" { 2 | name = var.env_name 3 | location = var.location 4 | } 5 | -------------------------------------------------------------------------------- /deploy/aks/terraform/variables.tf: -------------------------------------------------------------------------------- 1 | variable "service_principal_id" { 2 | type = string 3 | } 4 | 5 | variable "service_principal_secret" { 6 | type = string 7 | } 8 | 9 | variable "subscription_id" { 10 | type = string 11 | } 12 | 13 | variable "tenant_id" { 14 | type = string 15 | } 16 | 17 | variable "google_project" { 18 | type = string 19 | } 20 | 21 | variable "google_region" { 22 | type = string 23 | } 24 | 25 | variable "google_service_account_key" { 26 | type = string 27 | } 28 | 29 | variable "location" { 30 | type = string 31 | default = "West US" 32 | } 33 | 34 | variable "env_name" { 35 | type = string 36 | } 37 | 38 | variable "env_dns_domain" { 39 | type = string 40 | } 41 | 42 | variable "dns_zone_name" { 43 | type = string 44 | } 45 | 46 | variable "node_count" { 47 | type = number 48 | default = 5 49 | } 50 | 51 | variable "node_vm_size" { 52 | type = string 53 | default = "Standard_DS3_v2" 54 | } 55 | -------------------------------------------------------------------------------- /deploy/aks/terraform/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | azurerm = { 4 | source = "hashicorp/azurerm" 5 | version = "=2.62.1" 6 | } 7 | google = { 8 | source = "hashicorp/google" 9 | } 10 | } 11 | required_version = ">= 0.13" 12 | } 13 | -------------------------------------------------------------------------------- /deploy/eks/terraform/eks.tf: -------------------------------------------------------------------------------- 1 | module "eks" { 2 | source = "terraform-aws-modules/eks/aws" 3 | version = "18.21.0" 4 | 5 | cluster_name = var.env_name 6 | cluster_version = var.eks_version 7 | 8 | vpc_id = module.vpc.vpc_id 9 | subnet_ids = module.vpc.private_subnets 10 | 11 | eks_managed_node_groups = { 12 | worker-group = { 13 | instance_types = [var.node_machine_type] 14 | capacity_type = "SPOT" 15 | min_size = var.node_count 16 | max_size = var.node_count 17 | desired_size = var.node_count 18 | }, 19 | } 20 | 21 | tags = { 22 | Environment = var.env_name 23 | } 24 | } 25 | 26 | data "aws_eks_cluster" "cluster" { 27 | name = module.eks.cluster_id 28 | } 29 | 30 | data "aws_eks_cluster_auth" "cluster" { 31 | name = module.eks.cluster_id 32 | } 33 | -------------------------------------------------------------------------------- /deploy/eks/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | output "cluster_id" { 2 | description = "EKS cluster ID" 3 | value = module.eks.cluster_id 4 | } 5 | -------------------------------------------------------------------------------- /deploy/eks/terraform/provider.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-west-2" 3 | access_key = var.access_key_id 4 | secret_key = var.secret_access_key 5 | } 6 | 7 | provider "kubernetes" { 8 | host = data.aws_eks_cluster.cluster.endpoint 9 | token = data.aws_eks_cluster_auth.cluster.token 10 | cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) 11 | } 12 | -------------------------------------------------------------------------------- /deploy/eks/terraform/security-groups.tf: -------------------------------------------------------------------------------- 1 | resource "aws_security_group" "worker_group_mgmt_one" { 2 | name_prefix = "worker_group_mgmt_one" 3 | vpc_id = module.vpc.vpc_id 4 | 5 | ingress { 6 | from_port = 22 7 | to_port = 22 8 | protocol = "tcp" 9 | 10 | cidr_blocks = [ 11 | "10.0.0.0/8", 12 | ] 13 | } 14 | } 15 | 16 | resource "aws_security_group" "worker_group_mgmt_two" { 17 | name_prefix = "worker_group_mgmt_two" 18 | vpc_id = module.vpc.vpc_id 19 | 20 | ingress { 21 | from_port = 22 22 | to_port = 22 23 | protocol = "tcp" 24 | 25 | cidr_blocks = [ 26 | "192.168.0.0/16", 27 | ] 28 | } 29 | } 30 | 31 | resource "aws_security_group" "all_worker_mgmt" { 32 | name_prefix = "all_worker_management" 33 | vpc_id = module.vpc.vpc_id 34 | 35 | ingress { 36 | from_port = 22 37 | to_port = 22 38 | protocol = "tcp" 39 | 40 | cidr_blocks = [ 41 | "10.0.0.0/8", 42 | "172.16.0.0/12", 43 | "192.168.0.0/16", 44 | ] 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /deploy/eks/terraform/vpc.tf: -------------------------------------------------------------------------------- 1 | module "vpc" { 2 | source = "terraform-aws-modules/vpc/aws" 3 | 4 | name = "${var.env_name}-vpc" 5 | cidr = "10.0.0.0/16" 6 | azs = var.azs 7 | private_subnets = var.private_subnets 8 | public_subnets = var.public_subnets 9 | enable_nat_gateway = true 10 | single_nat_gateway = true 11 | enable_dns_hostnames = true 12 | 13 | tags = { 14 | "kubernetes.io/cluster/${var.env_name}" = "shared" 15 | } 16 | 17 | public_subnet_tags = { 18 | "kubernetes.io/cluster/${var.env_name}" = "shared" 19 | "kubernetes.io/role/elb" = "1" 20 | } 21 | 22 | private_subnet_tags = { 23 | "kubernetes.io/cluster/${var.env_name}" = "shared" 24 | "kubernetes.io/role/internal-elb" = "1" 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /deploy/gke/terraform/dns.tf: -------------------------------------------------------------------------------- 1 | resource "google_dns_record_set" "wildcard" { 2 | name = "*.${var.env_dns_domain}." 3 | project = var.project 4 | 5 | type = "A" 6 | ttl = 300 7 | 8 | managed_zone = var.dns_zone_name 9 | 10 | rrdatas = [google_compute_address.lb_static_ip.address] 11 | } 12 | 13 | resource "google_dns_record_set" "apps_wildcard" { 14 | name = "*.apps.${var.env_dns_domain}." 15 | project = var.project 16 | 17 | type = "A" 18 | ttl = 300 19 | 20 | managed_zone = var.dns_zone_name 21 | 22 | rrdatas = [google_compute_address.lb_static_ip.address] 23 | } -------------------------------------------------------------------------------- /deploy/gke/terraform/lb_static_ip.tf: -------------------------------------------------------------------------------- 1 | resource "google_compute_address" "lb_static_ip" { 2 | name = "${var.env_name}-lb" 3 | project = var.project 4 | region = var.region 5 | } 6 | -------------------------------------------------------------------------------- /deploy/gke/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | output "lb_static_ip" { 2 | value = google_compute_address.lb_static_ip.address 3 | } 4 | -------------------------------------------------------------------------------- /deploy/gke/terraform/provider.tf: -------------------------------------------------------------------------------- 1 | provider "google" { 2 | project = var.project 3 | region = var.region 4 | credentials = var.service_account_key 5 | } 6 | 7 | provider "google-beta" { 8 | project = var.project 9 | region = var.region 10 | credentials = var.service_account_key 11 | } 12 | -------------------------------------------------------------------------------- /deploy/gke/terraform/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "region" { 6 | type = string 7 | } 8 | 9 | variable "zone" { 10 | type = string 11 | } 12 | 13 | variable "service_account_key" { 14 | type = string 15 | } 16 | 17 | variable "env_name" { 18 | type = string 19 | } 20 | 21 | variable "env_dns_domain" { 22 | type = string 23 | } 24 | 25 | variable "dns_zone_name" { 26 | type = string 27 | } 28 | 29 | variable "network_name" { 30 | type = string 31 | default = "default" 32 | } 33 | 34 | variable "subnet_name" { 35 | type = string 36 | default = "default" 37 | } 38 | 39 | variable "node_count" { 40 | type = number 41 | default = 5 42 | } 43 | 44 | variable "node_machine_type" { 45 | type = string 46 | default = "n1-standard-4" 47 | } 48 | 49 | variable "release_channel" { 50 | type = string 51 | default = "RAPID" 52 | } 53 | -------------------------------------------------------------------------------- /deploy/gke/terraform/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | google = { 4 | source = "hashicorp/google" 5 | } 6 | google-beta = { 7 | source = "hashicorp/google-beta" 8 | } 9 | } 10 | required_version = ">= 0.13" 11 | } 12 | -------------------------------------------------------------------------------- /deploy/kind-on-gcp/install-and-test.sh: -------------------------------------------------------------------------------- 1 | export HOME=/tmp/kind 2 | export CGO_ENABLED=0 3 | export GO111MODULE=on 4 | export PATH=/tmp/kind/bin:/tmp/kind/go/bin:${PATH} 5 | export KUBECONFIG=/tmp/kind/.kube/config 6 | 7 | function retry { 8 | local retries=$1 9 | shift 10 | 11 | local count=0 12 | until "$@"; do 13 | exit=$? 14 | wait=$((2 ** ${count})) 15 | count=$((${count} + 1)) 16 | if [ ${count} -lt ${retries} ]; then 17 | echo "Retry ${count}/${retries} exited ${exit}, retrying in ${wait} seconds..." 18 | sleep ${wait} 19 | else 20 | echo "Retry ${count}/${retries} exited ${exit}, no more retries left." 21 | return ${exit} 22 | fi 23 | done 24 | return 0 25 | } 26 | 27 | cd /tmp/kind/cf-for-k8s 28 | kind delete cluster 29 | kind create cluster --config=deploy/kind/cluster.yml 30 | CF_VALUES=/tmp/cf-values.yml 31 | CF_RENDERED=/tmp/cf-rendered.yml 32 | ytt -f config -f ${CF_VALUES} > ${CF_RENDERED} 33 | kapp deploy -f ${CF_RENDERED} -a cf -y 34 | retry 7 cf api api.vcap.me --skip-ssl-validation 35 | SMOKE_TEST_API_ENDPOINT="https://api.vcap.me" SMOKE_TEST_APPS_DOMAIN=vcap.me SMOKE_TEST_USERNAME=admin SMOKE_TEST_PASSWORD=$(grep cf_admin_pass ${CF_VALUES} | cut -d" " -f2) SMOKE_TEST_SKIP_SSL=true ./hack/run-smoke-tests.sh 36 | -------------------------------------------------------------------------------- /deploy/kind-on-gcp/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | output "vm_name" { 2 | value = google_compute_instance.default.name 3 | } 4 | 5 | output "vm_ssh_private_key" { 6 | value = tls_private_key.default.private_key_pem 7 | sensitive = true 8 | } 9 | 10 | output "vm_ssh_public_key" { 11 | value = tls_private_key.default.public_key_openssh 12 | } 13 | -------------------------------------------------------------------------------- /deploy/kind-on-gcp/terraform/provider.tf: -------------------------------------------------------------------------------- 1 | provider "google" { 2 | project = var.project 3 | region = var.region 4 | credentials = var.service_account_key 5 | } 6 | -------------------------------------------------------------------------------- /deploy/kind-on-gcp/terraform/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "region" { 6 | type = string 7 | } 8 | 9 | variable "zone" { 10 | type = string 11 | } 12 | 13 | variable "service_account_key" { 14 | type = string 15 | } 16 | 17 | variable "machine_type" { 18 | type = string 19 | default = "n2-standard-16" 20 | } 21 | -------------------------------------------------------------------------------- /deploy/kind-on-gcp/terraform/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | google = { 4 | source = "hashicorp/google" 5 | } 6 | random = { 7 | source = "hashicorp/random" 8 | } 9 | tls = { 10 | source = "hashicorp/tls" 11 | } 12 | } 13 | required_version = ">= 0.13" 14 | } 15 | -------------------------------------------------------------------------------- /deploy/kind/cluster.yml: -------------------------------------------------------------------------------- 1 | kind: Cluster 2 | apiVersion: kind.x-k8s.io/v1alpha4 3 | nodes: 4 | - role: control-plane 5 | kubeadmConfigPatches: 6 | - | 7 | kind: InitConfiguration 8 | nodeRegistration: 9 | kubeletExtraArgs: 10 | node-labels: "ingress-ready=true" 11 | extraPortMappings: 12 | - protocol: TCP 13 | containerPort: 80 14 | hostPort: 80 15 | - protocol: TCP 16 | containerPort: 443 17 | hostPort: 443 18 | containerdConfigPatches: 19 | - |- 20 | [plugins."io.containerd.grpc.v1.cri".containerd] 21 | disable_snapshot_annotations = true 22 | -------------------------------------------------------------------------------- /deploy/minikube-on-gcp/install-and-test.sh: -------------------------------------------------------------------------------- 1 | export HOME=/tmp/minikube 2 | export CGO_ENABLED=0 3 | export GO111MODULE=on 4 | export PATH=/tmp/minikube/bin:/tmp/minikube/go/bin:${PATH} 5 | export KUBECONFIG=/tmp/minikube/.kube/config 6 | 7 | function retry { 8 | local retries=$1 9 | shift 10 | 11 | local count=0 12 | until "$@"; do 13 | exit=$? 14 | wait=$((2 ** ${count})) 15 | count=$((${count} + 1)) 16 | if [ ${count} -lt ${retries} ]; then 17 | echo "Retry ${count}/${retries} exited ${exit}, retrying in ${wait} seconds..." 18 | sleep ${wait} 19 | else 20 | echo "Retry ${count}/${retries} exited ${exit}, no more retries left." 21 | return ${exit} 22 | fi 23 | done 24 | return 0 25 | } 26 | 27 | cd /tmp/minikube/cf-for-k8s 28 | yes | minikube delete 29 | minikube start 30 | CF_VALUES=/tmp/cf-values.yml 31 | CF_RENDERED=/tmp/cf-rendered.yml 32 | ytt -f config -f ${CF_VALUES} > ${CF_RENDERED} 33 | kapp deploy -f ${CF_RENDERED} -a cf -y 34 | retry 7 cf api api.vcap.me --skip-ssl-validation 35 | SMOKE_TEST_API_ENDPOINT="https://api.vcap.me" SMOKE_TEST_APPS_DOMAIN=vcap.me SMOKE_TEST_USERNAME=admin SMOKE_TEST_PASSWORD=$(grep cf_admin_pass ${CF_VALUES} | cut -d" " -f2) SMOKE_TEST_SKIP_SSL=true ./hack/run-smoke-tests.sh 36 | -------------------------------------------------------------------------------- /deploy/minikube-on-gcp/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | output "vm_name" { 2 | value = google_compute_instance.default.name 3 | } 4 | 5 | output "vm_ssh_private_key" { 6 | value = tls_private_key.default.private_key_pem 7 | sensitive = true 8 | } 9 | 10 | output "vm_ssh_public_key" { 11 | value = tls_private_key.default.public_key_openssh 12 | } 13 | -------------------------------------------------------------------------------- /deploy/minikube-on-gcp/terraform/provider.tf: -------------------------------------------------------------------------------- 1 | provider "google" { 2 | project = var.project 3 | region = var.region 4 | credentials = var.service_account_key 5 | } 6 | -------------------------------------------------------------------------------- /deploy/minikube-on-gcp/terraform/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "region" { 6 | type = string 7 | } 8 | 9 | variable "zone" { 10 | type = string 11 | } 12 | 13 | variable "service_account_key" { 14 | type = string 15 | } 16 | 17 | variable "machine_type" { 18 | type = string 19 | default = "n2-standard-16" 20 | } 21 | -------------------------------------------------------------------------------- /deploy/minikube-on-gcp/terraform/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | google = { 4 | source = "hashicorp/google" 5 | } 6 | random = { 7 | source = "hashicorp/random" 8 | } 9 | tls = { 10 | source = "hashicorp/tls" 11 | } 12 | } 13 | required_version = ">= 0.13" 14 | } 15 | -------------------------------------------------------------------------------- /deploy/rds/terraform/README.md: -------------------------------------------------------------------------------- 1 | # Using terraform with AWS 2 | 3 | 1. Add secrets to secret manager: 4 | * ci_k8s_aws_region 5 | * ci_k8s_aws_access_key_id 6 | * ci_k8s_aws_secret_access_key 7 | * ci_k8s_aws_rds_database_password 8 | 9 | 2. Ensure the following entries exist within the `cf_for_k8s_private_dockerhub` secret 10 | 11 | * cf_for_k8s_private_dockerhub.repository_prefix 12 | * cf_for_k8s_private_dockerhub.hostname 13 | 14 | -------------------------------------------------------------------------------- /deploy/rds/terraform/database.tf: -------------------------------------------------------------------------------- 1 | resource "aws_db_instance" "postgres" { 2 | allocated_storage = 20 3 | engine = "postgres" 4 | instance_class = "db.t2.micro" 5 | identifier = "cf4k8s" 6 | username = "postgres" 7 | password = var.database_password 8 | publicly_accessible = true 9 | skip_final_snapshot = true 10 | backup_retention_period = 7 11 | } 12 | -------------------------------------------------------------------------------- /deploy/rds/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | output "address" { 2 | value = aws_db_instance.postgres.address 3 | } 4 | -------------------------------------------------------------------------------- /deploy/rds/terraform/provider.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = var.region 3 | access_key = var.aws_access_key_id 4 | secret_key = var.aws_secret_access_key 5 | } 6 | -------------------------------------------------------------------------------- /deploy/rds/terraform/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | type = string 3 | } 4 | 5 | variable "aws_access_key_id" { 6 | type = string 7 | } 8 | 9 | variable "aws_secret_access_key" { 10 | type = string 11 | } 12 | 13 | variable "database_password" { 14 | type = string 15 | } 16 | -------------------------------------------------------------------------------- /deploy/s3/terraform/blobstore.tf: -------------------------------------------------------------------------------- 1 | resource "aws_s3_bucket" "packages" { 2 | bucket = "cc-packages-${var.bucket_suffix}" 3 | force_destroy = true 4 | } 5 | 6 | resource "aws_s3_bucket_acl" "packages" { 7 | bucket = aws_s3_bucket.packages.id 8 | acl = "private" 9 | } 10 | 11 | resource "aws_s3_bucket" "droplets" { 12 | bucket = "cc-droplets-${var.bucket_suffix}" 13 | force_destroy = true 14 | } 15 | 16 | resource "aws_s3_bucket_acl" "droplets" { 17 | bucket = aws_s3_bucket.droplets.id 18 | acl = "private" 19 | } 20 | 21 | resource "aws_s3_bucket" "resources" { 22 | bucket = "cc-resources-${var.bucket_suffix}" 23 | force_destroy = true 24 | } 25 | 26 | resource "aws_s3_bucket_acl" "resources" { 27 | bucket = aws_s3_bucket.resources.id 28 | acl = "private" 29 | } 30 | 31 | resource "aws_s3_bucket" "buildpacks" { 32 | bucket = "cc-buildpacks-${var.bucket_suffix}" 33 | force_destroy = true 34 | } 35 | 36 | resource "aws_s3_bucket_acl" "buildpacks" { 37 | bucket = aws_s3_bucket.buildpacks.id 38 | acl = "private" 39 | } 40 | -------------------------------------------------------------------------------- /deploy/s3/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | output "bucket_packages" { 2 | value = aws_s3_bucket.packages.id 3 | } 4 | 5 | output "bucket_droplets" { 6 | value = aws_s3_bucket.droplets.id 7 | } 8 | 9 | output "bucket_resources" { 10 | value = aws_s3_bucket.resources.id 11 | } 12 | 13 | output "bucket_buildpacks" { 14 | value = aws_s3_bucket.buildpacks.id 15 | } 16 | -------------------------------------------------------------------------------- /deploy/s3/terraform/provider.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = var.region 3 | access_key = var.aws_access_key_id 4 | secret_key = var.aws_secret_access_key 5 | } 6 | -------------------------------------------------------------------------------- /deploy/s3/terraform/variables.tf: -------------------------------------------------------------------------------- 1 | variable "bucket_suffix" { 2 | type = string 3 | } 4 | 5 | variable "aws_access_key_id" { 6 | type = string 7 | } 8 | 9 | variable "aws_secret_access_key" { 10 | type = string 11 | } 12 | 13 | variable "region" { 14 | type = string 15 | } 16 | -------------------------------------------------------------------------------- /hack/README.md: -------------------------------------------------------------------------------- 1 | # Hack scripts 2 | 3 | These scripts are intended to help with certain tasks around integrating and 4 | deploying CF for Kubernetes. 5 | 6 | They are not officially supported product bits. Their interface and behavior 7 | may change at any time without notice. 8 | -------------------------------------------------------------------------------- /hack/app-registry-check-dockerfile/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM scratch 2 | CMD ["echo", "hello"] 3 | -------------------------------------------------------------------------------- /hack/confirm-network-policy.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # This is a hack! see https://github.com/cloudfoundry/cf-for-k8s/blob/develop/hack/README.md 4 | 5 | echo "WARNING: The hack scripts are intended for development of cf-for-k8s. 6 | They are not officially supported product bits. Their interface and behavior 7 | may change at any time without notice." 1>&2 8 | 9 | cluster=$1 10 | zone=$2 11 | 12 | if [[ "$(gcloud container clusters describe ${cluster} --zone ${zone} | 13 | ytt -f - -o json | jq .networkPolicy.enabled)" == "true" ]]; then 14 | echo "Confirmed that node network policy is enabled" 15 | else 16 | echo "ERROR: node network policy is NOT enabled" 17 | exit 1 18 | fi 19 | -------------------------------------------------------------------------------- /hack/emit-pod-service-encryption-status.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo "WARNING: The hack scripts are intended for development of cf-for-k8s. 4 | They are not officially supported product bits. Their interface and behavior 5 | may change at any time without notice." 1>&2 6 | 7 | for pod in $(kubectl get pod -l security.istio.io/tlsMode=istio -n cf-system -o jsonpath='{.items..metadata.name}') ; do 8 | echo $pod 9 | for service in $(kubectl get services -n cf-system | awk '/^[a-z]/ { print $1 }') ; do 10 | istioctl authn tls-check ${pod}.cf-system ${service}.cf-system.svc.cluster.local 11 | echo 12 | done 13 | echo 14 | done 15 | -------------------------------------------------------------------------------- /hack/run-smoke-tests.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | # This is a hack! see https://github.com/cloudfoundry/cf-for-k8s/blob/develop/hack/README.md 4 | 5 | set -eu 6 | 7 | echo "WARNING: The hack scripts are intended for development of cf-for-k8s. 8 | They are not officially supported product bits. Their interface and behavior 9 | may change at any time without notice." 1>&2 10 | 11 | cd "$(dirname $0)/../tests/smoke" 12 | ginkgo -v -r ./ 13 | -------------------------------------------------------------------------------- /hack/upgrade-cluster: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -exu 4 | 5 | echo "WARNING: The hack scripts are intended for development of cf-for-k8s. 6 | They are not officially supported product bits. Their interface and behavior 7 | may change at any time without notice." 1>&2 8 | 9 | CLUSTER_NAME=$1 10 | DESIRED_VERSION=$2 11 | NODE_POOL_NAME="${3:-default-pool}" 12 | 13 | export CLOUDSDK_CORE_DISABLE_PROMPTS=1 14 | 15 | timeout=$(gcloud config list --format=json | jq -r .builds.timeout) 16 | # Allow 10 hours before timing out 17 | gcloud config set builds/timeout 36000 18 | 19 | gcloud container clusters upgrade $CLUSTER_NAME \ 20 | --cluster-version=$DESIRED_VERSION \ 21 | --master \ 22 | --zone=us-central1-c 23 | 24 | gcloud container node-pools update $NODE_POOL_NAME \ 25 | --max-surge-upgrade=2 \ 26 | --max-unavailable-upgrade=0 \ 27 | --cluster=$CLUSTER_NAME \ 28 | --zone=us-central1-c 29 | 30 | gcloud container clusters upgrade $CLUSTER_NAME \ 31 | --cluster-version=$DESIRED_VERSION \ 32 | --node-pool=$NODE_POOL_NAME \ 33 | --zone=us-central1-c 34 | 35 | if [[ "$timeout" == "null" ]] ; then 36 | gcloud config unset builds/timeout 37 | fi 38 | 39 | ./hack/run-smoke-tests.sh 40 | -------------------------------------------------------------------------------- /images/build/statsd-exporter/build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" 6 | KBLD_LOCK_FILE="${SCRIPT_DIR}/kbld.lock.yml" 7 | KBLD_CONFIG_DIR="$(mktemp -d)" 8 | 9 | function cleanup() { 10 | echo "Cleaning up..." 11 | rm -rf "${KBLD_CONFIG_DIR}" 12 | } 13 | 14 | trap cleanup EXIT 15 | 16 | pushd "${SCRIPT_DIR}" > /dev/null 17 | 18 | vendir sync 19 | 20 | "${SCRIPT_DIR}/generate-kbld-config.sh" "${KBLD_CONFIG_DIR}/kbld.yml" 21 | 22 | kbld -f "${KBLD_CONFIG_DIR}" -f "${SCRIPT_DIR}/statsd-exporter-image.yml" --lock-output "${KBLD_LOCK_FILE}" 23 | 24 | popd > /dev/null -------------------------------------------------------------------------------- /images/build/statsd-exporter/generate-kbld-config.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -euo pipefail 4 | 5 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 6 | 7 | function generate_kbld_config() { 8 | local kbld_config_path="${1}" 9 | 10 | local source_path 11 | source_path="${SCRIPT_DIR}/sources" 12 | 13 | pushd "${source_path}" > /dev/null 14 | local git_ref 15 | git_ref=$(git rev-parse HEAD) 16 | popd > /dev/null 17 | 18 | echo "Creating Statsd exporter kbld config with ytt..." 19 | local kbld_config_values 20 | kbld_config_values=$(cat < "${kbld_config_path}" 29 | } 30 | 31 | function main() { 32 | local kbld_config_path="${1}" 33 | 34 | generate_kbld_config "${kbld_config_path}" 35 | } 36 | 37 | main "$@" 38 | -------------------------------------------------------------------------------- /images/build/statsd-exporter/kbld.lock.yml: -------------------------------------------------------------------------------- 1 | apiVersion: kbld.k14s.io/v1alpha1 2 | kind: Config 3 | minimumRequiredVersion: 0.30.0 4 | overrides: 5 | - image: cloudfoundry/statsd_exporter-cf-for-k8s 6 | newImage: index.docker.io/cloudfoundry/statsd_exporter-cf-for-k8s@sha256:a5d55aeb278f3665551dfd841f91cfd7e6be5cf5031190028b36a9edd650ed70 7 | preresolved: true 8 | -------------------------------------------------------------------------------- /images/build/statsd-exporter/kbld.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: kbld.k14s.io/v1alpha1 4 | kind: Config 5 | minimumRequiredVersion: 0.28.0 6 | sources: 7 | - imageRepo: cloudfoundry/statsd_exporter-cf-for-k8s 8 | path: sources 9 | pack: 10 | build: 11 | builder: paketobuildpacks/builder:tiny 12 | buildpacks: 13 | - gcr.io/paketo-buildpacks/go 14 | rawOptions: 15 | - --env 16 | - #@ "BP_OCI_REVISION={}".format(data.values.git_ref) 17 | - --env 18 | - #@ "BP_OCI_SOURCE={}".format(data.values.git_url) 19 | 20 | destinations: 21 | - imageRepo: cloudfoundry/statsd_exporter-cf-for-k8s 22 | newImage: index.docker.io/cloudfoundry/statsd_exporter-cf-for-k8s 23 | tags: 24 | - latest -------------------------------------------------------------------------------- /images/build/statsd-exporter/statsd-exporter-image.yml: -------------------------------------------------------------------------------- 1 | # NOTE: There is no reference in the templates for this image. This file is a token to trigger the kbld process. 2 | --- 3 | image: cloudfoundry/statsd_exporter-cf-for-k8s 4 | -------------------------------------------------------------------------------- /images/build/statsd-exporter/vendir.lock.yml: -------------------------------------------------------------------------------- 1 | apiVersion: vendir.k14s.io/v1alpha1 2 | directories: 3 | - contents: 4 | - git: 5 | commitTitle: 'Changelog for #361 & release 0.20.0...' 6 | sha: fbcadbf71b2bd3732596d7018f3692c030f1af6f 7 | tags: 8 | - v0.20.0 9 | path: . 10 | path: sources 11 | kind: LockConfig 12 | -------------------------------------------------------------------------------- /images/build/statsd-exporter/vendir.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: vendir.k14s.io/v1alpha1 3 | kind: Config 4 | minimumRequiredVersion: 0.11.0 5 | directories: 6 | - path: sources 7 | contents: 8 | - path: . 9 | git: 10 | url: https://github.com/prometheus/statsd_exporter 11 | ref: v0.20.0 -------------------------------------------------------------------------------- /samples/example-component/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx 2 | 3 | ENV FOO=foo 4 | -------------------------------------------------------------------------------- /samples/example-component/build/kbld.yml: -------------------------------------------------------------------------------- 1 | images: 2 | example: example-component-image 3 | --- 4 | apiVersion: kbld.k14s.io/v1alpha1 5 | kind: Sources 6 | sources: 7 | - image: example-component-image 8 | path: . 9 | --- 10 | apiVersion: kbld.k14s.io/v1alpha1 11 | kind: ImageDestinations 12 | destinations: 13 | - image: example-component-image 14 | newImage: docker.io/pivotaljohn/example-image 15 | --- 16 | apiVersion: kbld.k14s.io/v1alpha1 17 | kind: ImageKeys 18 | keys: 19 | - example 20 | -------------------------------------------------------------------------------- /samples/example-component/config/add-kapp-my-crd-refs.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kapp.k14s.io/v1alpha1 3 | kind: Config 4 | 5 | #! Configure kapp to look for secret and configmap references in our crd 6 | #! when updating versioned resources. If kapp versions your secrets or configmaps 7 | #! without adding this configuration, the crd will refer to a nonexistent secret 8 | #! or configmap. 9 | 10 | templateRules: 11 | - resourceMatchers: 12 | - apiVersionKindMatcher: {apiVersion: v1, kind: Secret} 13 | affectedResources: 14 | objectReferences: 15 | - path: [] 16 | resourceMatchers: 17 | - apiVersionKindMatcher: {apiVersion: v1alpha1, kind: MyCRD} 18 | nameKey: my-example-secret-ref 19 | 20 | - resourceMatchers: 21 | - apiVersionKindMatcher: {apiVersion: v1, kind: ConfigMap} 22 | affectedResources: 23 | objectReferences: 24 | - path: [spec] 25 | resourceMatchers: 26 | - apiVersionKindMatcher: {apiVersion: v1alpha1, kind: MyCRD} 27 | nameKey: my-example-nested-configmap-ref 28 | -------------------------------------------------------------------------------- /samples/example-component/config/deployment.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: example-component 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: example-component 11 | template: 12 | metadata: 13 | labels: 14 | app: example-component 15 | spec: 16 | containers: 17 | - name: webserver 18 | image: #@ data.values.images.example 19 | -------------------------------------------------------------------------------- /samples/example-component/config/my-crd.yml: -------------------------------------------------------------------------------- 1 | apiVersion: "apiextensions.k8s.io/v1beta1" 2 | kind: "CustomResourceDefinition" 3 | metadata: 4 | name: my-crd.cloudfoundry.org 5 | spec: 6 | versions: 7 | - name: v1alpha1 8 | served: true 9 | storage: true 10 | scope: Namespaced 11 | names: 12 | plural: MyCRDs 13 | singular: MyCRD 14 | kind: MyCRD 15 | subresources: 16 | status: {} 17 | validation: 18 | openAPIV3Schema: 19 | type: object 20 | properties: 21 | my-example-secret-ref: 22 | type: string 23 | spec: 24 | type: object 25 | properties: 26 | my-example-nested-configmap-ref: 27 | type: string 28 | selector: 29 | type: object 30 | template: 31 | type: object 32 | -------------------------------------------------------------------------------- /samples/example-component/config/values/_defaults.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | components: 4 | webserver: 5 | port: 8080 6 | database: 7 | port: 5120 8 | 9 | images: 10 | example: "" 11 | -------------------------------------------------------------------------------- /samples/example-component/config/values/images.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | images: 4 | example: index.docker.io/pivotaljohn/example-image@sha256:ba291808253277fadd7972e7f8b5e77a3458cdfd4dec6afe8584b9a39345bd1d 5 | -------------------------------------------------------------------------------- /supported_k8s_versions.yml: -------------------------------------------------------------------------------- 1 | --- 2 | oldest_version: "1.19" 3 | newest_version: "1.24" 4 | -------------------------------------------------------------------------------- /tests/configs/app_registry.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | app_registry: 4 | hostname: gcr.io 5 | repository_prefix: prefix 6 | username: bob 7 | password: 123password 8 | -------------------------------------------------------------------------------- /tests/configs/configs_suite_test.go: -------------------------------------------------------------------------------- 1 | package configs_test 2 | 3 | import ( 4 | "testing" 5 | 6 | . "github.com/onsi/ginkgo" 7 | . "github.com/onsi/gomega" 8 | ) 9 | 10 | func TestConfigs(t *testing.T) { 11 | RegisterFailHandler(Fail) 12 | RunSpecs(t, "Optional Configs Suite") 13 | } 14 | -------------------------------------------------------------------------------- /tests/configs/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/cf-for-k8s/tests/configs 2 | 3 | go 1.13 4 | 5 | require ( 6 | github.com/onsi/ginkgo v1.16.5 7 | github.com/onsi/gomega v1.10.1 8 | gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 9 | ) 10 | -------------------------------------------------------------------------------- /tests/configs/rbac/rbac_suite_test.go: -------------------------------------------------------------------------------- 1 | package rbac 2 | 3 | import ( 4 | "testing" 5 | 6 | . "github.com/onsi/ginkgo" 7 | . "github.com/onsi/gomega" 8 | ) 9 | 10 | func TestRBac(t *testing.T) { 11 | RegisterFailHandler(Fail) 12 | RunSpecs(t, "RBac Suite") 13 | } 14 | -------------------------------------------------------------------------------- /tests/smoke/assets/test-node-app/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "test-node-app", 3 | "version": "0.0.1" 4 | } 5 | -------------------------------------------------------------------------------- /tests/smoke/assets/test-node-app/server.js: -------------------------------------------------------------------------------- 1 | var http = require('http'); 2 | http.createServer(function (request, response) { 3 | response.writeHead(200, {'Content-Type': 'text/plain'}); 4 | response.end('Hello World\n'); 5 | }).listen(process.env.PORT); 6 | 7 | function logger() { 8 | console.log('Console output from test-node-app'); 9 | } 10 | 11 | setInterval(logger, 1000); 12 | -------------------------------------------------------------------------------- /tests/smoke/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/cf-for-k8s/tests/smoke 2 | 3 | go 1.13 4 | 5 | require ( 6 | github.com/cloudfoundry-incubator/cf-test-helpers v1.0.0 7 | github.com/onsi/ginkgo v1.16.5 8 | github.com/onsi/gomega v1.10.1 9 | ) 10 | -------------------------------------------------------------------------------- /tests/smoke/smoke_suite_test.go: -------------------------------------------------------------------------------- 1 | package smoke_test 2 | 3 | import ( 4 | "testing" 5 | "time" 6 | 7 | . "github.com/onsi/ginkgo" 8 | . "github.com/onsi/gomega" 9 | ) 10 | 11 | func TestSmoke(t *testing.T) { 12 | RegisterFailHandler(Fail) 13 | SetDefaultEventuallyTimeout(10 * time.Minute) 14 | RunSpecs(t, "Smoke Tests Suite") 15 | } 16 | -------------------------------------------------------------------------------- /tests/ytt/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudfoundry/cf-for-k8s/3e13d54fb71f0938e25fb81e6023f5d9d88da648/tests/ytt/README.md -------------------------------------------------------------------------------- /tests/ytt/blobstore/blobstore-values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | #@overlay/match-child-defaults missing_ok=True 3 | --- 4 | blobstore: 5 | endpoint: "" 6 | region: "" 7 | access_key_id: "" 8 | secret_access_key: "" 9 | package_directory_key: "" 10 | droplet_directory_key: "" 11 | resource_directory_key: "" 12 | buildpack_directory_key: "" 13 | aws_signature_version: "" 14 | -------------------------------------------------------------------------------- /tests/ytt/capi/capi-values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | #@overlay/match-child-defaults missing_ok=True 3 | --- 4 | system_namespace: "" 5 | system_domain: "" 6 | app_domains: [""] 7 | cf_admin_password: "" 8 | 9 | capi: 10 | cc_username_lookup_client_secret: 11 | cf_api_controllers_client_secret: 12 | cf_api_backup_metadata_generator_client_secret: 13 | database: 14 | adapter: "" 15 | encryption_key: "" 16 | host: "" 17 | port: 0 18 | user: "" 19 | password: "" 20 | name: "" 21 | ca_cert: "" 22 | log_level: "" 23 | 24 | experimental: 25 | quarks_secret: 26 | enable: 27 | 28 | app_registry: 29 | hostname: "" 30 | repository_prefix: "" 31 | username: "" 32 | password: "" 33 | 34 | blobstore: 35 | endpoint: "" 36 | region: "" 37 | access_key_id: "" 38 | secret_access_key: "" 39 | package_directory_key: "" 40 | droplet_directory_key: "" 41 | resource_directory_key: "" 42 | buildpack_directory_key: "" 43 | aws_signature_version: "" 44 | 45 | allow_prometheus_metrics_access: 46 | -------------------------------------------------------------------------------- /tests/ytt/go.mod: -------------------------------------------------------------------------------- 1 | module code.cloudfoundry.org/cf-for-k8s-ytt-tests 2 | 3 | go 1.13 4 | 5 | require ( 6 | code.cloudfoundry.org/yttk8smatchers v0.0.0-20220413183053-dddc7355063f 7 | github.com/onsi/ginkgo v1.14.0 8 | github.com/onsi/gomega v1.10.1 9 | ) 10 | -------------------------------------------------------------------------------- /tests/ytt/k8s_suite_test.go: -------------------------------------------------------------------------------- 1 | package ytt 2 | 3 | import ( 4 | "fmt" 5 | "path/filepath" 6 | "runtime" 7 | "testing" 8 | "time" 9 | 10 | . "github.com/onsi/ginkgo" 11 | . "github.com/onsi/gomega" 12 | ) 13 | 14 | var templateBasePath string 15 | 16 | func init() { 17 | SetDefaultEventuallyTimeout(10 * time.Second) 18 | 19 | _, filename, _, ok := runtime.Caller(0) 20 | if !ok { 21 | panic("Could not initialize ytt package: can't find location of this file") 22 | } 23 | 24 | relative := filepath.Join(filepath.Dir(filename), "..", "..") 25 | abs, err := filepath.Abs(relative) 26 | if err != nil { 27 | panic(fmt.Sprintf("Could not initialize ytt package: %v", err)) 28 | } 29 | 30 | templateBasePath = abs 31 | } 32 | 33 | func pathToFile(name string) string { 34 | return filepath.Join(templateBasePath, name) 35 | } 36 | 37 | func TestDeployment(t *testing.T) { 38 | RegisterFailHandler(Fail) 39 | RunSpecs(t, "Config Test Suite") 40 | } 41 | -------------------------------------------------------------------------------- /tests/ytt/metrics/metrics-values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | #@overlay/match-child-defaults missing_ok=True 3 | --- 4 | add_metrics_server_components: 5 | metrics_server_prefer_internal_kubelet_address: -------------------------------------------------------------------------------- /tests/ytt/missing_attributes/missing_attributes_values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | system_domain: "breathable-sidewalk.k8s-dev.relint.rocks" 4 | app_domains: 5 | #@overlay/append 6 | - "apps.breathable-sidewalk.k8s-dev.relint.rocks" 7 | #! cf_admin_password: missing, which is okay 8 | 9 | blobstore: 10 | secret_access_key: glip 11 | 12 | capi: 13 | database: 14 | password: glip 15 | encryption_key: glip 16 | 17 | system_certificate: 18 | crt: crt 19 | #! key: missing 20 | 21 | workloads_certificate: 22 | #! crt: missing 23 | key: key 24 | 25 | 26 | #! instance_index_env_injector_certificate: missing completely 27 | 28 | uaa: 29 | database: 30 | password: blip 31 | #! encryption_key: missing 32 | admin_client_secret: stuff 33 | 34 | app_registry: 35 | hostname: gcr.io 36 | repository_prefix: gcr.io/cf-relint-greengrass/cf-workloads 37 | #! username: missing 38 | password: secret 39 | 40 | load_balancer: 41 | enable: false 42 | -------------------------------------------------------------------------------- /tests/ytt/postgres/postgres-values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | #@overlay/match-child-defaults missing_ok=True 3 | --- 4 | capi: 5 | database: 6 | name: "" 7 | host: "" 8 | user: "admin" 9 | password: "" 10 | 11 | uaa: 12 | database: 13 | name: "" 14 | host: "" 15 | user: "admin" 16 | password: "" 17 | 18 | cf_db: 19 | admin_password: "" -------------------------------------------------------------------------------- /tests/ytt/quarks_secret/quarks_secret_disabled.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | #@overlay/match-child-defaults missing_ok=True 3 | --- 4 | experimental: 5 | quarks_secret: 6 | enable: false 7 | -------------------------------------------------------------------------------- /tests/ytt/quarks_secret/quarks_secret_enabled.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | #@overlay/match-child-defaults missing_ok=True 3 | --- 4 | experimental: 5 | quarks_secret: 6 | enable: true 7 | -------------------------------------------------------------------------------- /tests/ytt/system-registry/system-registry-values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | #@overlay/match-child-defaults missing_ok=True 3 | --- 4 | system_registry: 5 | add_image_pull_secrets: true 6 | hostname: "test.test" 7 | username: "test-username" 8 | password: "test-password" 9 | -------------------------------------------------------------------------------- /tests/ytt/uaa/uaa-values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | #@overlay/match-child-defaults missing_ok=True 3 | --- 4 | system_namespace: "" 5 | system_domain: "" 6 | cf_admin_password: "" 7 | 8 | data: 9 | uaa.yml: 10 | 11 | uaa: 12 | login: 13 | service_provider: 14 | key: 15 | certificate: 16 | key_password: 17 | 18 | login_secret: 19 | admin_client_secret: "foo" 20 | 21 | database: 22 | adapter: "postgresql" 23 | host: "" 24 | port: 25 | name: 26 | ca_cert: "" 27 | user: 28 | password: 29 | 30 | jwt_policy: 31 | key_id: "some-key" 32 | signing_key: 33 | 34 | encryption_key_passphrase_secret_name: 35 | 36 | encryption_key: 37 | label: 38 | passphrase: 39 | 40 | capi: 41 | cc_username_lookup_client_secret: 42 | cf_api_controllers_client_secret: 43 | cf_api_backup_metadata_generator_client_secret: 44 | 45 | enable_automount_service_account_token: 46 | remove_resource_requirements: 47 | allow_prometheus_metrics_access: 48 | 49 | experimental: 50 | quarks_secret: 51 | enable: 52 | --------------------------------------------------------------------------------